-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2020-11-011.yaml
52 lines (52 loc) · 1.78 KB
/
CAR-2020-11-011.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
---
title: Registry Edit from Screensaver
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-011
description: |
Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.
coverage:
- technique: T1546
tactics:
- TA0003
- TA0004
subtechniques:
- T1546.002
coverage: High
implementations:
- name: Pseudocode - Screensaver
description: This is a pseudocode representation of the below splunk search.
code: |
reg_events = search Registry:add or Registry:edit
scr_reg_events = filter processes where (
key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND
output scr_reg_events
data_model: CAR native
type: Pseudocode
- name: Splunk Search - Screensaver
description: looks creations of edits of the SCRNSAVE.exe registry key
code: |
index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE"
data_model: Sysmon native
type: Splunk
- name: LogPoint Search - Screensaver
description: looks creations of edits of the SCRNSAVE.exe registry key
code: |
norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"
data_model: LogPoint native
type: LogPoint
data_model_references:
- registry/edit/key
- registry/add/key
d3fend_mappings:
- iri: d3f:UserSessionInitConfigAnalysis
id: D3-USICA
label: User Session Init Config Analysis