Try in Splunk Security Cloud


This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-09-27
  • Author: Teoderick Contreras, Splunk
  • ID: 58cea3ec-1f6d-11ec-8560-acde48001122


ID Technique Tactic
T1546 Event Triggered Execution Privilege Escalation, Persistence
T1546.002 Screensaver Privilege Escalation, Persistence

| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control Panel\\Desktop\\SCRNSAVE.EXE*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name(Registry)` 
| `screensaver_event_trigger_execution_filter`

Associated Analytic Story

How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

  • _time
  • Registry.dest
  • Registry.user
  • Registry.registry_path
  • Registry.registry_key_name
  • Registry.registry_value_name

Kill Chain Phase

  • Exploitation

Known False Positives



Risk Score Impact Confidence Message
72.0 80 90 modified/added/deleted registry entry $Registry.registry_path$ in $dest$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1