heroui logo

Path To Screensaver Binary Modified

Sigma Rules

View Source
Summary
This detection rule identifies modifications to the Windows registry key that stores the path to the screensaver executable. It specifically looks for changes to the `SCRNSAVE.EXE` key, which is typically located under `HKEY_CURRENT_USER\Control Panel\Desktop`. The selection criteria for this rule require that the target object (the registry key) ends with `\SCRNSAVE.EXE`. Additionally, it filters the events to exclude modifications coming from common and legitimate processes like `rundll32.exe` and `explorer.exe`. This is important as such processes often create noise in detection systems, leading to false positives. The condition for triggering the alert is met when there is a modification to the selected registry key by a process that is not included in the defined filter. Given the nature of changes that this detection captures, it is most relevant in scenarios where adversaries attempt to establish persistence or escalate privileges via unauthorized modifications to system settings including screensaver configurations. This alert framework helps ensure administrators are aware of potential malicious activity in modifying registry settings related to screensaver functionality.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
ATT&CK Techniques
  • T1546.002
Created: 2020-10-11