Rundll32 InstallScreenSaver Execution
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
Sigma rule (View on GitHub)
1title: Rundll32 InstallScreenSaver Execution
2id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221
3status: test
4description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
5references:
6 - https://lolbas-project.github.io/lolbas/Libraries/Desk/
7 - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
8author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'
9date: 2022/04/28
10modified: 2023/02/09
11tags:
12 - attack.t1218.011
13 - attack.defense_evasion
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\rundll32.exe'
20 - OriginalFileName: 'RUNDLL32.EXE'
21 selection_cli:
22 CommandLine|contains: 'InstallScreenSaver'
23 condition: all of selection_*
24falsepositives:
25 - Legitimate installation of a new screensaver
26level: medium
References
-
Launch a remote executable with a .scr extension, located on an SMB share, by calling the InstallScreenSaver function. rundll32.exe desk.cpl,InstallScreenSaver \\127.0.0.1\c$\temp\file.scr Use case...
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Rhadamanthys Stealer Module Launch Via Rundll32.EXE
- Shell32 DLL Execution in Suspicious Directory
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- NotPetya Ransomware Activity
- CobaltStrike Load by Rundll32