Sigma rules for CVE-2006-1335
3 rules · scoped to cve · back to CVE-2006-1335
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.scr'
filter_generic:
Image|endswith:
- '\Kindle.exe'
- '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
filter_tiworker:
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
Image|endswith: '\TiWorker.exe'
TargetFilename|endswith: '\uwfservicingscr.scr'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: ScreenSaver Registry Key Set
id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
status: test
description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
references:
- https://twitter.com/VakninHai/status/1517027824984547329
- https://twitter.com/pabraeken/status/998627081360695297
- https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-04
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218.011
logsource:
product: windows
category: registry_set
detection:
selection:
Image|endswith: '\rundll32.exe'
registry:
TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
Details|endswith: '.scr'
filter:
Details|contains:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and registry and not filter
falsepositives:
- Legitimate use of screen saver
level: medium
title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: test
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020-10-11
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
filter:
Image|endswith:
- '\rundll32.exe'
- '\explorer.exe'
condition: selection and not filter
falsepositives:
- Legitimate modification of screensaver
level: medium