Query Details

Screensaver File Invoking Suspicious Processes

Query

DeviceProcessEvents
| where FileName has_any (@"cmd.exe", @"powershell.exe", @".exe")
| where InitiatingProcessFileName contains ".scr"
| summarize arg_max(Timestamp, *) by DeviceName
| project Timestamp, DeviceName

About this query

Screensaver file invoking suspicious processes

Description

This hunting query is based on a RedLine stealer malware delivered through a .scr file which invoked a suspicious processes including command prompt, powershell or any other .exe file.

Microsoft 365 Defender

MITRE ATT&CK Mapping

Source

  • MDE

Versioning

VersionDateComments
1.008/11/2022Initial publish
1.123/05/2023Modified template, ATT&CK map

Explanation

This query is designed to detect a specific type of malware called RedLine stealer that is delivered through a screensaver (.scr) file. The query looks for instances where the screensaver file invokes suspicious processes such as command prompt, PowerShell, or any other .exe file. It then summarizes the results by the device name and projects the timestamp and device name. This query helps identify potential malicious activity related to the execution of screensaver files. It is mapped to the MITRE ATT&CK technique T1546.002 (Event Triggered Execution: Screensaver) under the Persistence tactic. The query is sourced from Microsoft 365 Defender (MDE) and has gone through versioning updates.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceProcessEvents

Keywords

DevicesIntuneUserMicrosoft 365 DefenderDeviceProcessEventsFileNameInitiatingProcessFileNameTimestampDeviceNameMITRE ATT&CK MappingTacticTechnique IDEvent Triggered ExecutionScreensaverMDEVersioningDateCommentsInitial publishModified templateATT&CK map

Operators

DeviceProcessEventswherehas_anycontainssummarizearg_maxbyproject

MITRE Techniques

Actions

GitHub