Skip to content

Hide Navigation Hide TOC

SCR File Write Event (c048f047-7e2a-4888-b302-55f509d4a91d)

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Cluster A Galaxy A Cluster B Galaxy B Level
SCR File Write Event (c048f047-7e2a-4888-b302-55f509d4a91d) Sigma-Rules Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2