title: Path To Screensaver Binary Modified
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/11
description: Detects value modification of registry key containing path to binary
    used as screensaver.
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        TargetObject: '*\Control Panel\Desktop\SCRNSAVE.EXE'
    SELECTION_5:
        Image: '*\rundll32.exe'
    SELECTION_6:
        Image: '*\explorer.exe'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
        ((SELECTION_5 or SELECTION_6)))
falsepositives:
- Legitimate modification of screensaver.
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
level: medium
logsource:
    category: registry_event
    product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.002
yml_filename: sysmon_modify_screensaver_binary_path.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event