← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Screensaver Binary File Creation

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Quality
82
FP risk
Forks
0
Views
0
ATT&CK techniques
T1546.002
Rule sourcerules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.scr'
    filter_generic:
        Image|endswith:
            - '\Kindle.exe'
            - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
    filter_tiworker:
        # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
        Image|endswith: '\TiWorker.exe'
        TargetFilename|endswith: '\uwfservicingscr.scr'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium