Unusual screensaver (.scr) executions correlated with recent registry modifications to HKCU\Control Panel\Desktop values such as SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection focuses on PE image paths not consistent with known legitimate screensavers and triggered after user inactivity timeout.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| TimeWindow | Adjust the user inactivity threshold that defines 'screensaver trigger window'; shorter timeouts may increase sensitivity. |
| SuspiciousPathRegex | Allow tuning based on expected paths for legitimate .scr files vs suspicious locations (e.g., user temp directories). |
| ParentProcessAllowList | Allowlisting known legitimate initiators of .scr files (e.g., user32.dll context) to reduce false positives. |
| RegistryEditorProcessName | Monitor for registry modification performed by unusual processes (e.g., powershell.exe, reg.exe). |