Detectionmediumtest
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection_reg:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'HKEY_CURRENT_USER\Control Panel\Desktop'
- 'HKCU\Control Panel\Desktop'
selection_option_1: # /force Active ScreenSaveActive
CommandLine|contains|all:
- '/v ScreenSaveActive'
- '/t REG_SZ'
- '/d 1'
- '/f'
selection_option_2: # /force set ScreenSaveTimeout
CommandLine|contains|all:
- '/v ScreenSaveTimeout'
- '/t REG_SZ'
- '/d '
- '/f'
selection_option_3: # /force set ScreenSaverIsSecure
CommandLine|contains|all:
- '/v ScreenSaverIsSecure'
- '/t REG_SZ'
- '/d 0'
- '/f'
selection_option_4: # /force set a .scr
CommandLine|contains|all:
- '/v SCRNSAVE.EXE'
- '/t REG_SZ'
- '/d '
- '.scr'
- '/f'
condition: selection_reg and 1 of selection_option_*False Positives
GPO
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
0fc35fc3-efe6-4898-8a37-0b233339524f
Status
test
Level
medium
Type
Detection
Created
Thu Aug 19
Modified
Thu Jun 02
Author
Path
rules/windows/process_creation/proc_creation_win_reg_screensaver.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1546.002