ScreenSaver Registry Key Set

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Sigma rule (View on GitHub)

 1title: ScreenSaver Registry Key Set
 2id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
 3status: test
 4description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
 5references:
 6    - https://twitter.com/VakninHai/status/1517027824984547329
 7    - https://twitter.com/pabraeken/status/998627081360695297
 8    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
 9author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
10date: 2022/05/04
11modified: 2023/08/17
12tags:
13    - attack.defense_evasion
14    - attack.t1218.011
15logsource:
16    product: windows
17    category: registry_set
18detection:
19    selection:
20        Image|endswith: '\rundll32.exe'
21    registry:
22        TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
23        Details|endswith: '.scr'
24    filter:
25        Details|contains:
26            - 'C:\Windows\System32\'
27            - 'C:\Windows\SysWOW64\'
28    condition: selection and registry and not filter
29falsepositives:
30    - Legitimate use of screen saver
31level: medium

References

Related rules

to-top