Persistence via Screensaver

Detect persistence via screensaver when attacker writes payload to registry within screensaver key path.

id:dd2eee76-9b44-479e-9860-435357e82db8
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence
techniques:T1180 Screensaver

Query

registry where key_path == "*\\Control Panel\\Desktop\\SCRNSAVE.EXE"

  // Ignore when the screensaver is legitimately set via the dialog
  and not event of [ process where subtype.create
                      and process_path == "*\\system32\\rundll32.exe"
                      and parent_process_path == "*\\explorer.exe"
                      and command_line == "* shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,*"
                    ]

Contributors