From f5223cd5a33faf5cd46116d1b0fcdebe8e1d9c05 Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:29:44 +0100 Subject: [PATCH] change name screensaver persistence technique --- nursery/reference-screen-saver-executable.yml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 nursery/reference-screen-saver-executable.yml diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/reference-screen-saver-executable.yml deleted file mode 100644 index a916936f..00000000 --- a/nursery/reference-screen-saver-executable.yml +++ /dev/null @@ -1,19 +0,0 @@ -rule: - meta: - name: persist via screensaver registry key - namespace: persistence/screensaver - authors: - - michael.hunhoff@mandiant.com - description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file - scopes: - static: function - dynamic: call - att&ck: - - Persistence::Event Triggered Execution::Screensaver [T1546.002] - features: - - and: - - match: set registry value - - string: /Control Panel\\Desktop/i - - string: /^SCRNSAVE.EXE$/i - - optional: - - string: "ScreenSaveTimeOut"