Added Sigma Rules

rules/Sigma/sysmon_modify_screensaver_binary_path.yml

@@ -0,0 +1,38 @@
+title: Path To Screensaver Binary Modified
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/11
+description: Detects value modification of registry key containing path to binary
+    used as screensaver.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Control Panel\Desktop\SCRNSAVE.EXE'
+    SELECTION_5:
+        Image: '*\rundll32.exe'
+    SELECTION_6:
+        Image: '*\explorer.exe'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+        ((SELECTION_5 or SELECTION_6)))
+falsepositives:
+- Legitimate modification of screensaver.
+id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.002
+yml_filename: sysmon_modify_screensaver_binary_path.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+