1. Home
  2. Techniques
  3. Enterprise
  4. Event Triggered Execution
  5. Screensaver

Event Triggered Execution: Screensaver

ID Name
T1546.001 Change Default File Association
T1546.002 Screensaver
T1546.003 Windows Management Instrumentation Event Subscription
T1546.004 Unix Shell Configuration Modification
T1546.005 Trap
T1546.006 LC_LOAD_DYLIB Addition
T1546.007 Netsh Helper DLL
T1546.008 Accessibility Features
T1546.009 AppCert DLLs
T1546.010 AppInit DLLs
T1546.011 Application Shimming
T1546.012 Image File Execution Options Injection
T1546.013 PowerShell Profile
T1546.014 Emond
T1546.015 Component Object Model Hijacking
T1546.016 Installer Packages

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

  • SCRNSAVE.exe - set to malicious PE path
  • ScreenSaveActive - set to '1' to enable the screensaver
  • ScreenSaverIsSecure - set to '0' to not require a password to unlock
  • ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.[2]

ID: T1546.002
Sub-technique of:  T1546
Platforms: Windows
Permissions Required: User
Contributors: Bartosz Jerzman
Version: 1.2
Created: 24 January 2020
Last Modified: 28 July 2023
Version Permalink

Procedure Examples

ID Name Description
S0168 Gazer

Gazer can establish persistence through the system screensaver by configuring it to execute the malware.[2]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Use Group Policy to disable screensavers if they are unnecessary.[3]
M1038 Execution Prevention

Block .scr files from being executed from non-standard locations.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments of .scr files.
DS0022 File File Creation

Monitor newly constructed files that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - Created on disk that are being used as Screensaver files

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") TargetObject="\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"

File Modification

Monitor for changes made to files that may establish persistence by executing malicious content triggered by user inactivity.

Note: Although there are no standard events for file modification, Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted accesses of screensaver files (typically ending in a file extension of .scr).

DS0009 Process Process Creation

Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - HKCU\Control Panel\Desktop registry key

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%reg%" AND CommandLine LIKE "%add%" AND CommandLine LIKE "%HKCU\Control Panel\Desktop\%"
DS0024 Windows Registry Windows Registry Key Modification

Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Default screen saver files are stored in C:\Windows\System32. Use these files as a reference when defining list of not suspicious screen saver files.

Analytic 1 - Registry Edit from Screensaver

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (13, 14) TargetObject="\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"

References

  1. Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017.
  2. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  1. Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.