ScreenSaver Registry Key Set

Aug 17, 2023 · attack.defense_evasion attack.t1218.011 ·

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Sigma rule (View on GitHub)

 1title: ScreenSaver Registry Key Set
 2id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
 3status: experimental
 4description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
 5references:
 6    - https://twitter.com/VakninHai/status/1517027824984547329
 7    - https://twitter.com/pabraeken/status/998627081360695297
 8    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
 9author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
10date: 2022/05/04
11modified: 2023/08/17
12tags:
13    - attack.defense_evasion
14    - attack.t1218.011
15logsource:
16    product: windows
17    category: registry_set
18detection:
19    selection:
20        Image|endswith: '\rundll32.exe'
21    registry:
22        TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
23        Details|endswith: '.scr'
24    filter:
25        Details|contains:
26            - 'C:\Windows\System32\'
27            - 'C:\Windows\SysWOW64\'
28    condition: selection and registry and not filter
29falsepositives:
30    - Legitimate use of screen saver
31level: medium

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
Something went wrong, but don’t fret — let’s give it another shot.

Read More
Executing SCR files using desk.cpl and InstallScreenSaver API Call | Welcome to Jstnk webpage

Summary

Read More

ScreenSaver Registry Key Set

Sigma rule (View on GitHub)

References

Executing SCR files using desk.cpl and InstallScreenSaver API Call | Welcome to Jstnk webpage

Related rules