Detectionmediumtest
Path To Screensaver Binary Modified
Detects value modification of registry key containing path to binary used as screensaver.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Bartlomiej Czyz, oscd.communityCreated Sun Oct 11Updated Sat Nov 2767a6c006-3fbe-46a7-9074-2ba3b82c3000windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
filter:
Image|endswith:
- '\rundll32.exe'
- '\explorer.exe'
condition: selection and not filterFalse Positives
Legitimate modification of screensaver
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
67a6c006-3fbe-46a7-9074-2ba3b82c3000
Status
test
Level
medium
Type
Detection
Created
Sun Oct 11
Modified
Sat Nov 27
Author
Path
rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1546.002