T1546.002 Screensaver Mappings

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

  • <code>SCRNSAVE.exe</code> - set to malicious PE path
  • <code>ScreenSaveActive</code> - set to '1' to enable the screensaver
  • <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock
  • <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-2 Baseline Configuration Protects T1546.002 Screensaver
CM-6 Configuration Settings Protects T1546.002 Screensaver
CM-7 Least Functionality Protects T1546.002 Screensaver
CM-8 System Component Inventory Protects T1546.002 Screensaver
RA-5 Vulnerability Monitoring and Scanning Protects T1546.002 Screensaver
SI-10 Information Input Validation Protects T1546.002 Screensaver
SI-3 Malicious Code Protection Protects T1546.002 Screensaver
SI-4 System Monitoring Protects T1546.002 Screensaver
SI-7 Software, Firmware, and Information Integrity Protects T1546.002 Screensaver
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1546.002 Screensaver
Comments
This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".
References
    file_integrity_monitoring File Integrity Monitoring technique_scores T1546.002 Screensaver
    Comments
    This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
    References