The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about the execution of malicious files with the .scr extension using rundll32.exe.
What Is SCR File Execution?
The vulnerability in question involves the capacity to manipulate the Windows Desktop Settings Control Panel to execute arbitrary binaries.
Rundll32.exe is a standard part of the Windows operating system that is used to run Dynamic Link Libraries, which are ubiquitous across a Windows installation and used to store code and provide functions to Windows processes and third-party applications.
The above method utilises the Rundll32.exe to repurpose the InstallScreenSaver function, usually reserved for configuring screensavers, to execute any binary masked as a .scr file.
Adversaries just need to rename a recognized binary, such as cmd.exe or something more malicious, with a .scr extension. The desk.cpl utility can then be used to trigger its execution, even with only base user privileges.
Why Should You Look Out For Malicious SCR Files?
Similar to other Living off the Land style attacks, one of the most difficult aspects of this type of malicious activity is undoubtably the adversary’s ability to hide in plain sight. By concealing the malicious payload within an innocuous .scr file extension, there is little chance for security teams to actively monitor the issue. Hence, once a payload has been concealed, the potential dwell time for an attacker is significantly increased and they are able to gain greater control over the victim’s environment.
Living off the land is a recognised technique that has been in existence since the middle of the 2010’s, though it is undeniable that adversaries have been employing the strategy of hiding in plain sight for much longer than that.
The MITRE website clearly shows that it would almost be easier to identify threat actors that do not leverage rundll32 as a method of hiding, even though the specific use of InstallScreenSaver function has not been attributed to any major attack thus far.
How Can LogRhythm Help?
Microsoft Sysmon, serving as an advanced monitoring data source, plays a pivotal role in detecting the consequences of such attacks. In particular, event ID 13 records registry value alterations. This is important as key registry entries associated with the .scr file’s execution are vital points of detection.
To address this, the Analytic Co-Pilot team have devised a specialized enhancement for the Microsoft Sysmon XML Configuration file and a pair of AI Engine Rules designed to swiftly detect any unauthorized or malicious uses of the InstallScreenSaver function.
These two rules developed look for the execution of the InstallScreenSaver function as elucidated at the start of this blog, and then monitor for changes to the registry entries related to .scr file executions.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.