Techniques
Sample rules
SCR File Write Event
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an “.SCR” file using “rundll32.exe desk.cpl,InstallScreenSaver” for example.
Detection logic
condition: selection and not filter
filter:
TargetFilename|contains:
- :\$WINDOWS.~BT\NewOS\
- :\Windows\System32\
- :\Windows\SysWOW64\
- :\Windows\WinSxS\
- :\WUDownloadCache\
selection:
TargetFilename|endswith: .scr