|T1546.001||Change Default File Association|
|T1546.003||Windows Management Instrumentation Event Subscription|
|T1546.004||Unix Shell Configuration Modification|
|T1546.007||Netsh Helper DLL|
|T1546.012||Image File Execution Options Injection|
|T1546.015||Component Object Model Hijacking|
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in
C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (
HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
SCRNSAVE.exe- set to malicious PE path
ScreenSaveActive- set to '1' to enable the screensaver
ScreenSaverIsSecure- set to '0' to not require a password to unlock
ScreenSaveTimeout- sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.
|M1042||Disable or Remove Feature or Program||
Use Group Policy to disable screensavers if they are unnecessary.
Block .scr files from being executed from non-standard locations.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments of .scr files.
Analytic 1 - Modify the HKCU\Control Panel\Desktop registry key
Monitor newly constructed files that may establish persistence by executing malicious content triggered by user inactivity.
Analytic 1 - Created on disk that are being used as Screensaver files
new_files = filter ProcessFilePath, UserName, FileName where event_id == "11"
suspicious_files = filter k.ProcessGuid, k.ProcessFilePath, k.UserName, k.RegistryKeypath, k.RegistryKeyValueData FROM screensaver_key_modification kINNER JOIN new_files fON k.RegistryKeyValueData = f.FileName
Monitor for changes made to files that may establish persistence by executing malicious content triggered by user inactivity.
Note: Although there are no standard events for file modification, Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted accesses of screensaver files (typically ending in a file extension of .scr).
Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.
Analytic 1 : New processes whose image files are being used as Screensaver files and make an outbound network connection to unknown IP address
new_network_connections = filter ProcessFilePath, DestinationIpFROM NetworkConnectionDataWHERE event_id == "3"
screensaver_key_modification = filter ProcessGuid, ProcessFilePath, UserName, RegistryKeyPath, RegistryKeyValueData FROM KeyModificationDataWHERE event_id == "13" AND RegistryKeyPath LIKE '%Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE%'
screensaver_processes = filter p.ProcessGuid, p.ProcessFilePath, p.UserNameFROM new_processes pINNER JOIN screensaver_key_modification kON p.ProcessFilePath = k.RegistryKeyValueData
suspicious_processes = filter p.ProcessGuid, p.ProcessFilePath, p.UserName, n.DestinationIpFROM new_network_connections nINNER JOIN screensaver_processes pON p.ProcessFilePath = n.ProcessFilePathWHERE n.DestinationIP NOT IN ('KnownIp01','KnownIp02')
|DS0024||Windows Registry||Windows Registry Key Modification||
Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Default screen saver files are stored in C:\Windows\System32. Use these files as a reference when defining list of not suspicious screen saver files.
Analytic 1 : Registry Edit from Screensaver