Find sigma rule 
Attack: Event Triggered Execution: Screensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
-
SCRNSAVE.exe- set to malicious PE path -
ScreenSaveActive- set to ‘1’ to enable the screensaver -
ScreenSaverIsSecure- set to ‘0’ to not require a password to unlock -
ScreenSaveTimeout- sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1546.002
Test : Set Arbitrary Binary as Screensaver
OS
- windows
Description:
This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_susp_copy_system_dir.yml (id: fff9d2b7-e11c-4a69-93d3-40ef66189767)
-
file_event_win_creation_scr_binary_file.yml (id: 97aa2e88-555c-450d-85a6-229bcd87efb8)
-
proc_creation_win_reg_screensaver.yml (id: 0fc35fc3-efe6-4898-8a37-0b233339524f)