SCR File Execution Using Rundll32 (T1218.011) | Security Spotlight
The Security Spotlight series provides visibility into the ways you can leverage LogRhythm tools against a variety of threats. In this video, we’ll provide a quick overview related to the execution of malicious files with the .scr extension. Learn how LogRhythm can help you detect this specific threat, plus check out additional resources below.
LogRhythm customers can learn more to download this rule on the Community page: https://community.logrhythm.com/t5/Subscription-Services-Knowledge/Use-Case-T1218-001-Rundll32-SCR-File-amp-InstallScreenSaver/ta-p/598269
Additional Resources:
Github, InstallScreenSaver compromise – https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files/
LOLBAS project – https://lolbas-project.github.io/lolbas/Libraries/Desk/
Howtogeek, what is rundll32.exe – https://www.howtogeek.com/1220/what-is-rundll32exe-and-why-is-it-running/
MITRE T1218.011 – https://attack.mitre.org/techniques/T1218/011/
