Rundll32 InstallScreenSaver Execution

 1title: Rundll32 InstallScreenSaver Execution
 2id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221
 3status: test
 4description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
 5references:
 6    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
 7    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
 8author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'
 9date: 2022-04-28
10modified: 2023-02-09
11tags:
12    - attack.t1218.011
13    - attack.defense-evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\rundll32.exe'
20        - OriginalFileName: 'RUNDLL32.EXE'
21    selection_cli:
22        CommandLine|contains: 'InstallScreenSaver'
23    condition: all of selection_*
24falsepositives:
25    - Legitimate installation of a new screensaver
26level: medium

References

• Desk on LOLBAS

  

  Desk.cpl is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• atomic-red-team/atomics/T1218.011/T1218.011.md at 0f229c0e42bfe7ca736a14023836d65baa941ed2 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• APT29 2018 Phishing Campaign File Indicators
• CobaltStrike Load by Rundll32
• Code Execution via Pcwutl.dll
• Equation Group DLL_U Export Function Load