CAR-2020-11-011: Registry Edit from Screensaver
Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Event Triggered Execution | Screensaver | Persistence, Privilege Escalation | High |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-USICA | User Session Init Config Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| registry | edit | key |
| registry | add | key |
Implementations
Pseudocode - Screensaver (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
reg_events = search Registry:add or Registry:edit
scr_reg_events = filter processes where (
key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND
output scr_reg_events
Splunk Search - Screensaver (Splunk, Sysmon native)
looks creations of edits of the SCRNSAVE.exe registry key
index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE"
LogPoint Search - Screensaver (Logpoint, LogPoint native)
looks creations of edits of the SCRNSAVE.exe registry key
norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"