Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

Sigma rule (View on GitHub)

 1title: Path To Screensaver Binary Modified
 2id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
 3status: test
 4description: Detects value modification of registry key containing path to binary used as screensaver.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
 7    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
 8author: Bartlomiej Czyz @bczyz1, oscd.community
 9date: 2020/10/11
10modified: 2021/11/27
11tags:
12    - attack.persistence
13    - attack.privilege_escalation
14    - attack.t1546.002
15logsource:
16    category: registry_event
17    product: windows
18detection:
19    selection:
20        TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
21    filter:
22        Image|endswith:
23            - '\rundll32.exe'
24            - '\explorer.exe'
25    condition: selection and not filter
26falsepositives:
27    - Legitimate modification of screensaver
28level: medium

References

Related rules

to-top