From 8ae42bca7ceb3f06bc73b117f1ea48e11f06d803 Mon Sep 17 00:00:00 2001
From: Bartlomiej Czyz <b.czyz93@gmail.com>
Date: Sun, 11 Oct 2020 17:02:39 +0200
Subject: [PATCH] fix description & ParentImage -> Image modification to comply
 with reg events constraints

---
 .../sysmon_modify_screensaver_binary_path.yml            | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
index f335f7597..7ea7aada0 100644
--- a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
+++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
@@ -1,10 +1,7 @@
 title: Path To Screensaver Binary Modified
 id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
 status: experimental
-description: >
-  Detects value modification of registry key containing path to binary used as screensaver. 
-  Adversaries may establish persistence by executing malicious content triggered by user inactivity. 
-  Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.
+description: Detects value modification of registry key containing path to binary used as screensaver.
 references:
   - https://attack.mitre.org/techniques/T1546/002/
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
@@ -22,7 +19,9 @@ detection:
   selection:
     TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
   filter:
-    ParentImage: 'C:\Windows\System32\services.exe'
+    Image|endswith:
+      - '\rundll32.exe'
+      - '\explorer.exe'
   condition: selection and not filter
 level: medium
 falsepositives: