Event Triggered Execution: Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

  • SCRNSAVE.exe - set to malicious PE path
  • ScreenSaveActive - set to '1' to enable the screensaver
  • ScreenSaverIsSecure - set to '0' to not require a password to unlock
  • ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. [2]

ID: T1546.002
Sub-technique of:  T1546
Tactics: Privilege Escalation, Persistence
Platforms: Windows
Permissions Required: User
Data Sources: File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Contributors: Bartosz Jerzman
Version: 1.0
Created: 24 January 2020
Last Modified: 23 March 2020

Procedure Examples

Name Description
Gazer

Gazer can establish persistence through the system screensaver by configuring it to execute the malware.[2]

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Use Group Policy to disable screensavers if they are unnecessary.[3]

Execution Prevention

Block .scr files from being executed from non-standard locations.

Detection

Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.

Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.

References