Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Event Triggered Execution: Screensaver

Other sub-techniques of Event Triggered Execution (16)

ID	Name
.001	Change Default File Association
.002	Screensaver
.003	Windows Management Instrumentation Event Subscription
.004	Unix Shell Configuration Modification
.005	Trap
.006	LC_LOAD_DYLIB Addition
.007	Netsh Helper DLL
.008	Accessibility Features
.009	AppCert DLLs
.010	AppInit DLLs
.011	Application Shimming
.012	Image File Execution Options Injection
.013	PowerShell Profile
.014	Emond
.015	Component Object Model Hijacking
.016	Installer Packages

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: * SCRNSAVE.exe - set to malicious PE path * ScreenSaveActive - set to '1' to enable the screensaver * ScreenSaverIsSecure - set to '0' to not require a password to unlock * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)

ID: T1546.002

Sub-technique of: T1546

Tactic(s): Persistence, Privilege Escalation

Platforms: Windows

Permissions Required: User

Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Modification

Version: 1.0

Created: 24 Jan 2020

Last Modified: 20 Apr 2022

Name	Description
Procedure Examples
Gazer	Gazer can establish persistence through the system screensaver by configuring it to execute the malware.(Citation: ESET Gazer Aug 2017)

Mitigation	Description
Mitigations
Execution Prevention	Block execution of code on a system through application control, and/or script blocking.
Disable or Remove Feature or Program	Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Detection

Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.