From a64e020479ca84db0bc559ae25104bf64085d8bc Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Tue, 15 Sep 2020 20:28:52 -0500
Subject: [PATCH] T1546.002 Screensaver

---
 queries.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/queries.md b/queries.md
index 0d3fc6c..f9239fa 100644
--- a/queries.md
+++ b/queries.md
@@ -169,9 +169,13 @@ Detects Process Injection through execution of MavInject, filtering out noisy/ex
 
 
 ### T1546.002 Screensaver
-Atomics: [T1546.002]()
+Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md)
 
+Detects malicious changes to screensaver through Registry changes, filtering expected processes.
 
+```
+RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe"))
+```
 
 ### T1547.005 Security Support Provider
 Atomics: [T1547.005]()