security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix description & ParentImage -> Image modification to comply with reg events constraints

Browse Source
This commit is contained in:
Bartlomiej Czyz
2020-10-11 17:02:39 +02:00
parent 2370730952
commit 8ae42bca7c
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
+4 -5
View File
@@ -1,10 +1,7 @@
title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: experimental
description: >
Detects value modification of registry key containing path to binary used as screensaver.
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
- https://attack.mitre.org/techniques/T1546/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
@@ -22,7 +19,9 @@ detection:
selection:
TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
filter:
ParentImage: 'C:\Windows\System32\services.exe'
Image|endswith:
- '\rundll32.exe'
- '\explorer.exe'
condition: selection and not filter
level: medium
falsepositives: