persist via screensaver registry key

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: persist via screensaver registry key
    namespace: persistence/screensaver
    authors:
      - michael.hunhoff@mandiant.com
    description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Persistence::Event Triggered Execution::Screensaver [T1546.002]
  features:
    - and:
      - match: set registry value
      - string: /Control Panel\\Desktop/i
      - string: /^SCRNSAVE.EXE$/i
      - optional:
        - string: "ScreenSaveTimeOut"

last edited: 2024-12-09 09:51:47