SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Sigma rule (View on GitHub)
1title: SCR File Write Event
2id: c048f047-7e2a-4888-b302-55f509d4a91d
3status: test
4description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
5references:
6 - https://lolbas-project.github.io/lolbas/Libraries/Desk/
7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
8date: 2022-04-27
9modified: 2023-08-23
10tags:
11 - attack.defense-evasion
12 - attack.t1218.011
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|endswith: '.scr'
19 filter:
20 TargetFilename|contains:
21 - ':\$WINDOWS.~BT\NewOS\'
22 - ':\Windows\System32\'
23 - ':\Windows\SysWOW64\'
24 - ':\Windows\WinSxS\'
25 - ':\WUDownloadCache\' # Windows Update Download Cache
26 condition: selection and not filter
27falsepositives:
28 - The installation of new screen savers by third party software
29level: medium
References
-
Desk.cpl is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- Equation Group DLL_U Export Function Load