Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Event Triggered Execution Screensaver Persistence, Privilege Escalation High

Data Model References

Object Action Field
registry edit key
registry add key

Applicable Sensors

Implementations

Pseudocode - Screensaver (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

reg_events = search Registry:add or Registry:edit
scr_reg_events = filter processes where (
  key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND
output scr_reg_events

Splunk Search - Screensaver (Splunk, Sysmon native)

looks creations of edits of the SCRNSAVE.exe registry key

index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE"

LogPoint Search - Screensaver (Logpoint, LogPoint native)

looks creations of edits of the SCRNSAVE.exe registry key

norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"