Techniques
Sample rules
Rundll32 InstallScreenSaver Execution
- source: sigma
- technicques:
- t1218
- t1218.011
Description
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: InstallScreenSaver
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE