Screensaver File Invoking Internet Access
Query
DeviceNetworkEvents
| where Protocol contains "tcp"
| where RemoteIPType contains "Public"
| where InitiatingProcessFileName contains ".scr"
| summarize arg_max(Timestamp, *) by DeviceName
| project Timestamp, DeviceNameAbout this query
Screensaver file invoking internet access
Description
This hunting query is based on a RedLine stealer malware delivered through a .scr file which invoked a process accessing the internet to deliver payload.
Microsoft 365 Defender
MITRE ATT&CK Mapping
- Tactic: Persistence
- Technique ID: T1546.002
- Event Triggered Execution: Screensaver
Source
- MDE
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 08/11/2022 | Initial publish |
| 1.1 | 23/05/2023 | Modified template, ATT&CK map |
Explanation
This query is designed to detect a specific type of malware called RedLine stealer that is delivered through a screensaver (.scr) file. The query looks for network events where the protocol is TCP, the remote IP is public, and the initiating process file name contains ".scr". It then summarizes the results by the device name and projects the timestamp and device name. This query helps identify instances where the screensaver file is being used to access the internet and deliver a payload. It is mapped to the MITRE ATT&CK technique T1546.002, which is related to event-triggered execution using screensavers.
