reference screen saver executable

rule:
  meta:
    name: reference screen saver executable
    namespace: persistence/screensaver
    authors:
      - michael.hunhoff@mandiant.com
    description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Persistence::Event Triggered Execution::Screensaver [T1546.002]
  features:
    - and:
      - string: "SCRNSAVE.EXE"
      - optional:
        - string: "ScreenSaveTimeOut"
        - string: "Control Panel\\Desktop"
        - match: set registry value