Suspicious Powercfg Execution To Change Lock Screen Timeout

Rule Info

Name
Suspicious Powercfg Execution To Change Lock Screen Timeout
Author
frack113
Description
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
Reference
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Date
2022-11-18 00:00:00
Modified
None
Id
f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
Tags
attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
95793d73b
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Nasreddine Bencherchali
chore: renames with new sigma convention
2023-03-03
4439d85ea
frack113
Add proc_creation_win_susp_powercfg
2022-11-18
59ccb74bc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022