HUNTS- Screensaver (T1180)
HUNTS- Screensaver (T1180)
Version 1.0
ATT&CK Technique: Screensaver (T1180)
What this playbook hunts for:
-
Modification of the scrnsave.exe registry key using command line tools. The scrnsave.exe registry key can be modified to point to a malicious executable to trigger execution of malicious code whenever a screensaver would normally be triggered.
-
Execution of .scr files where the .scr file does not reside in a standard directory. SCR files are essentially executable files and can be used to execute malicious code in the same way that any executable can.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 1 logs where a .scr file is executed outside of Windows system directories
-
Generates SIEM query for Sysmon Event ID 1 logs where a command line tool is used to modify the scrnsave.exe registry key
What results are expected:
-
Name, process ID, and path of the .scr file executed
-
Command line arguments for .scr file execution
-
MD5 hash of the .scr file executed
-
Execution time
-
Hostname of the computer where .scr file was executed
-
User account that was used to execute .scr file
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Low to Medium
-
Depending upon the organization’s policies regarding execution of files outside of Windows directories, execution of non-standard .scr files should be fairly limited.