Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Event Triggered Execution Screensaver Persistence, Privilege Escalation High

Data Model References

Object Action Field
registry edit key
registry add key

Implementations

Pseudocode - Screensaver (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

reg_events = search Registry:add or Registry:edit
scr_reg_events = filter processes where (
  key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND
output scr_reg_events

Splunk Search - Screensaver (Splunk, Sysmon native)

looks creations of edits of the SCRNSAVE.exe registry key

index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE"