T1546.002: Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32</code>, and C:\Windows\sysWOW64</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop</code>) and could be manipulated to achieve persistence:

  • SCRNSAVE.exe - set to malicious PE path
  • ScreenSaveActive - set to '1' to enable the screensaver
  • ScreenSaverIsSecure - set to '0' to not require a password to unlock
  • ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-270: Windows_Screensaver_Modification: An attempt to persist as a screen saver is detected

Detection

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files that may establish persistence by executing malicious content triggered by user inactivity.

Note: Although there are no standard events for file modification, Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted accesses of screensaver files (typically ending in a file extension of .scr).

IDDS0022Data source and componentFile: File CreationDescription

Monitor newly constructed files that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - Created on disk that are being used as Screensaver files

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") TargetObject="\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments of .scr files.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - HKCU\Control Panel\Desktop registry key

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%reg%" AND CommandLine LIKE "%add%" AND CommandLine LIKE "%HKCU\Control Panel\Desktop%"

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Default screen saver files are stored in C:\Windows\System32. Use these files as a reference when defining list of not suspicious screen saver files.

Analytic 1 - Registry Edit from Screensaver

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (13, 14) TargetObject="\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"

Mitigation

IDM1038NameExecution PreventionDescription

Block .scr files from being executed from non-standard locations.

IDM1042NameDisable or Remove Feature or ProgramDescription

Use Group Policy to disable screensavers if they are unnecessary.