Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
SCRNSAVE.exe - set to malicious PE pathScreenSaveActive - set to '1' to enable the screensaverScreenSaverIsSecure - set to '0' to not require a password to unlockScreenSaveTimeout - sets user inactivity timeout before screensaver is executedAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.[2]
| ID | Name | Description |
|---|---|---|
| S0168 | Gazer |
Gazer can establish persistence through the system screensaver by configuring it to execute the malware.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Use Group Policy to disable screensavers if they are unnecessary.[3] |
| M1038 | Execution Prevention |
Block .scr files from being executed from non-standard locations. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0154 | Detect Screensaver-Based Persistence via Registry and Execution Chains | AN0441 |
Unusual screensaver (.scr) executions correlated with recent registry modifications to HKCU\Control Panel\Desktop values such as SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection focuses on PE image paths not consistent with known legitimate screensavers and triggered after user inactivity timeout. |