MITRE Technique T1546.002

Read about this MITRE Technique at -

Event Triggered Execution: Screensaver, Sub-technique T1546.002 - Enterprise | MITRE ATT&CK®attack.mitre.org

The following is a Splunk query for logs from Sysmon to detect this technique being used on Windows -

index=sysmon (EventCode=13 Details="c:\\windows\\system32\\*.scr" TargetObject="*\\Control Panel\\Desktop\\SCRNSAVE.EXE" ) OR (EventCode=1 CommandLine="reg*\ add *\\Control Panel\\Desktop\" /v SCRNSAVE.EXE /t REG_SZ /d *C:\\WINDOWS\\System32\\*.scr*") 
| rex field=CommandLine "/d\ \"(?<TargetFilename>\S+)\"" 
| eval TargetFilename=coalesce(TargetFilename, Details)
| eval TargetFilename=lower(TargetFilename)
| mvexpand User
| search NOT User="NOT_TRANSLATED"
| join TargetFilename [ search index=sysmon EventCode=11 TargetFilename="C:\\Windows\\System32*.scr" | eval TargetFilename=lower(TargetFilename) | fields TargetFilename Image ]
| table UtcTime EventCode Sid ProcessGuid ProcessId User ComputerName TargetFilename Image

PreviousSplunk NextMITRE Technique T1546.008

Last updated 1 year ago