title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: experimental
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
  - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
tags:
  - attack.persistence
  - attack.privilege_escalation
  - attack.t1546.002
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/11
logsource:
  category: registry_event
  product: windows
detection:
  selection:
    TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
  filter:
    Image|endswith:
      - '\rundll32.exe'
      - '\explorer.exe'
  condition: selection and not filter
level: medium
falsepositives:
  - 'Legitimate modification of screensaver.'