Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Screensaver Binary File Creation

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Wed Dec 29Updated Tue Nov 0897aa2e88-555c-450d-85a6-229bcd87efb8windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection:
        TargetFilename|endswith: '.scr'
    filter_generic:
        Image|endswith:
            - '\Kindle.exe'
            - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
    filter_tiworker:
        # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
        Image|endswith: '\TiWorker.exe'
        TargetFilename|endswith: '\uwfservicingscr.scr'
    condition: selection and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
97aa2e88-555c-450d-85a6-229bcd87efb8
Status
test
Level
medium
Type
Detection
Created
Wed Dec 29
Modified
Tue Nov 08
Author
François Hubaut
Path
rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1546.002
View on GitHub