SCR File Write Event

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Sigma rule (View on GitHub)

 1title: SCR File Write Event
 2id: c048f047-7e2a-4888-b302-55f509d4a91d
 3status: test
 4description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
 7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 8date: 2022-04-27
 9modified: 2023-08-23
10tags:
11    - attack.defense-evasion
12    - attack.t1218.011
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|endswith: '.scr'
19    filter:
20        TargetFilename|contains:
21            - ':\$WINDOWS.~BT\NewOS\'
22            - ':\Windows\System32\'
23            - ':\Windows\SysWOW64\'
24            - ':\Windows\WinSxS\'
25            - ':\WUDownloadCache\' # Windows Update Download Cache
26    condition: selection and not filter
27falsepositives:
28    - The installation of new screen savers by third party software
29level: medium

References

Related rules

to-top