Screensaver process executed from Users or temporary folder

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

6 Hours

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Event Triggered Execution: Screensaver (T1546.002)

Severity

Low

Description

An executable file with a screensaver extension was executed from the Users or temp folder. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder.
It is recommended to further investigate the execution flow for malicious indicators.

Attacker's Goals

Gain persistence by configuring a new screensaver.

Investigative actions

Check whether the executing process (with the SCR extension) is benign, and if this was a desired behavior as part of its normal execution flow.

Variations

Screensaver process executed from Users or temporary folder by a scripting engine process

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Event Triggered Execution: Screensaver (T1546.002)

Severity

High

Description

An executable file with a screensaver extension was executed from the Users or temp folder by a scripting engine process. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder.
It is recommended to further investigate the execution flow for malicious indicators.

Attacker's Goals

Gain persistence by configuring a new screensaver.

Investigative actions

Check whether the executing process (with the SCR extension) is benign, and if this was a desired behavior as part of its normal execution flow.