T1546.002 Screensaver Mappings

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

  • <code>SCRNSAVE.exe</code> - set to malicious PE path
  • <code>ScreenSaveActive</code> - set to '1' to enable the screensaver
  • <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock
  • <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1546.002 Screensaver
CM-6 Configuration Settings Protects T1546.002 Screensaver
CM-7 Least Functionality Protects T1546.002 Screensaver
CM-8 System Component Inventory Protects T1546.002 Screensaver
RA-5 Vulnerability Monitoring and Scanning Protects T1546.002 Screensaver
SI-10 Information Input Validation Protects T1546.002 Screensaver
SI-3 Malicious Code Protection Protects T1546.002 Screensaver
SI-4 System Monitoring Protects T1546.002 Screensaver
SI-7 Software, Firmware, and Information Integrity Protects T1546.002 Screensaver
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.002 Event Triggered Execution Screensaver