Path To Screensaver Binary Modified
Detects value modification of registry key containing path to binary used as screensaver.
Sigma rule (View on GitHub)
1title: Path To Screensaver Binary Modified
2id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
3status: test
4description: Detects value modification of registry key containing path to binary used as screensaver.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
7 - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
8author: Bartlomiej Czyz @bczyz1, oscd.community
9date: 2020-10-11
10modified: 2021-11-27
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1546.002
15logsource:
16 category: registry_event
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
21 filter:
22 Image|endswith:
23 - '\rundll32.exe'
24 - '\explorer.exe'
25 condition: selection and not filter
26falsepositives:
27 - Legitimate modification of screensaver
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
`[m*929rV$C 87JL_PnO2#kIf1)Vj.o1O5H8C8T1,Hls4`k^f?ln``X/["Si_Ac$&o^nG^EWnN]XM K] WiQ3OV:#GnDT`usAI*3(KjOo^d.gbs~> endstream endobj 353 0 obj stream 8;Z]\;%CGc%"R:UkgO\d%TAsB(jtn/]oI2e'K&OFR*s:-%%BC...
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Addition of SID History to Active Directory Object