Query Details
Screensaver File Invoking Internet Access
Query
# Screensaver file invoking internet access ### Description This hunting query is based on a RedLine stealer malware delivered through a .scr file which invoked a process accessing the internet to deliver payload. ### Microsoft 365 Defender ``` DeviceNetworkEvents | where Protocol contains "tcp" | where RemoteIPType contains "Public" | where InitiatingProcessFileName contains ".scr" | summarize arg_max(Timestamp, *) by DeviceName | project Timestamp, DeviceName ``` ### MITRE ATT&CK Mapping - Tactic: Persistence - Technique ID: T1546.002 - [Event Triggered Execution: Screensaver](https://attack.mitre.org/techniques/T1546/002/) ### Source - MDE ### Versioning | Version | Date | Comments | | ------------- |---------------| ------------------------------| | 1.0 | 08/11/2022 | Initial publish | | 1.1 | 23/05/2023 | Modified template, ATT&CK map |
Explanation
This query is designed to detect a specific type of malware called RedLine stealer that is delivered through a screensaver (.scr) file. The query looks for network events where the protocol is TCP, the remote IP is public, and the initiating process file name contains ".scr". It then summarizes the results by the device name and projects the timestamp and device name. This query helps identify instances where the screensaver file is being used to access the internet and deliver a payload. It is mapped to the MITRE ATT&CK technique T1546.002, which is related to event-triggered execution using screensavers.
Details
Michalis Michalos
Released: August 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,Protocol,RemoteIPType,InitiatingProcessFileName,Timestamp,DeviceName
Operators
wherecontainssummarizearg_maxbyproject