Persistence via Screensaver¶
Detect persistence via screensaver when attacker writes payload to registry within screensaver key path.
id: | dd2eee76-9b44-479e-9860-435357e82db8 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1180 Screensaver |
Query¶
registry where registry_path == "*\\Control Panel\\Desktop\\SCRNSAVE.EXE"
// Ignore when the screensaver is legitimately set via the dialog
and not event of [ process where subtype.create
and process_path == "*\\system32\\rundll32.exe"
and parent_process_path == "*\\explorer.exe"
and command_line == "* shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,*"
]