Merge pull request SigmaHQ#2982 from jstnk9/master

Create registry_set_scr_file_executed_by_rundll32.yml
gholdzhang · May 12, 2022 · 8692140 · 8692140
2 parents 9e21814 + cf97512
commit 8692140
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
@@ -0,0 +1,32 @@
+title: ScreenSaver Registry Key Set
+id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
+description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
+status: experimental
+date: 2022/05/04
+modified: 2022/05/04
+author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
+references:
+    - https://twitter.com/VakninHai/status/1517027824984547329
+    - https://twitter.com/pabraeken/status/998627081360695297
+    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        EventType: SetValue
+        Image|endswith: '\rundll32.exe'
+    registry:
+        TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
+        Details|endswith: '.scr'
+    filter:
+        Details|contains: 
+        - 'C:\Windows\System32\'
+        - 'C:\Windows\SysWOW64\'
+    condition: selection and registry and not filter
+falsepositives:
+    - legitimate use of screen saver
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218.011