SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Sigma rule (View on GitHub)
1title: SCR File Write Event
2id: c048f047-7e2a-4888-b302-55f509d4a91d
3status: experimental
4description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
5references:
6 - https://lolbas-project.github.io/lolbas/Libraries/Desk/
7author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
8date: 2022/04/27
9modified: 2023/08/23
10tags:
11 - attack.defense_evasion
12 - attack.t1218.011
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|endswith: '.scr'
19 filter:
20 TargetFilename|contains:
21 - ':\$WINDOWS.~BT\NewOS\'
22 - ':\Windows\System32\'
23 - ':\Windows\SysWOW64\'
24 - ':\Windows\WinSxS\'
25 - ':\WUDownloadCache\' # Windows Update Download Cache
26 condition: selection and not filter
27falsepositives:
28 - The installation of new screen savers by third party software
29level: medium
References
-
.. /Desk.cpl Star Execute Desktop Settings Control Panel Paths: C:\Windows\System32\desk.cpl C:\Windows\SysWOW64\desk.cpl Resources: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt h...
Read More
Related rules
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- Rundll32 Execution Without DLL File
- ScreenSaver Registry Key Set
- Rundll32 InstallScreenSaver Execution
- NotPetya Ransomware Activity