
Summary
The 'SCR File Write Event' rule is designed to detect the unauthorized creation of screensaver files (with a .scr extension) in locations that are not standard system directories on Windows operating systems. This detection is crucial as attackers may exploit .SCR files to execute malicious payloads using legitimate Windows utilities, such as `rundll32.exe` with the argument `desk.cpl,InstallScreenSaver`. This method allows unauthorized applications to be run under the guise of a screensaver installation. The rule inspects file events and looks specifically for filenames that end with '.scr', while filtering out known safe system directories to reduce false positives. If an '.scr' file is created in any directory outside of these safe locations, the detection would trigger an alert. Given that legitimate third-party software installations may also create screensaver files, the rule includes provisions for potential false positives.
Categories
- Endpoint
- Windows
Data Sources
- File
Created: 2022-04-27