SCR File Write Event

calendar Sep 18, 2023 · attack.defense_evasion attack.t1218.011  ·
Share on: linkedin copy

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Sigma rule (View on GitHub)

 1title: SCR File Write Event
 2id: c048f047-7e2a-4888-b302-55f509d4a91d
 3status: experimental
 4description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
 7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 8date: 2022/04/27
 9modified: 2023/08/23
10tags:
11    - attack.defense_evasion
12    - attack.t1218.011
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|endswith: '.scr'
19    filter:
20        TargetFilename|contains:
21            - ':\$WINDOWS.~BT\NewOS\'
22            - ':\Windows\System32\'
23            - ':\Windows\SysWOW64\'
24            - ':\Windows\WinSxS\'
25            - ':\WUDownloadCache\' # Windows Update Download Cache
26    condition: selection and not filter
27falsepositives:
28    - The installation of new screen savers by third party software
29level: medium

References

  • Desk | LOLBAS

    Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr Use case...


    Read More

Related rules

to-top