← Library
sigmaDRL-1.1from SigmaHQ/sigma

SCR File Write Event

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218.011
Rule sourcerules/windows/file/file_event/file_event_win_new_scr_file.yml
title: SCR File Write Event
id: c048f047-7e2a-4888-b302-55f509d4a91d
status: test
description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-04-27
modified: 2023-08-23
tags:
    - attack.defense-evasion
    - attack.t1218.011
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '.scr'
    filter:
        TargetFilename|contains:
            - ':\$WINDOWS.~BT\NewOS\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
            - ':\WUDownloadCache\' # Windows Update Download Cache
    condition: selection and not filter
falsepositives:
    - The installation of new screen savers by third party software
level: medium