Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1546.002 | Screensaver | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1546.002 | Screensaver | |
| CM-08 | System Component Inventory | mitigates | T1546.002 | Screensaver | |
| SI-10 | Information Input Validation | mitigates | T1546.002 | Screensaver | |
| SI-03 | Malicious Code Protection | mitigates | T1546.002 | Screensaver | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1546.002 | Screensaver | |
| CM-02 | Baseline Configuration | mitigates | T1546.002 | Screensaver | |
| CM-07 | Least Functionality | mitigates | T1546.002 | Screensaver | |
| SI-04 | System Monitoring | mitigates | T1546.002 | Screensaver |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Alter behavior | Influence or alter human behavior | related-to | T1546.002 | Screensaver |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1546.002 | Screensaver |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1546.002 | Screensaver |
Comments
This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".
References
|