Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1546.002 | Screensaver |
| CM-6 | Configuration Settings | Protects | T1546.002 | Screensaver |
| CM-7 | Least Functionality | Protects | T1546.002 | Screensaver |
| CM-8 | System Component Inventory | Protects | T1546.002 | Screensaver |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1546.002 | Screensaver |
| SI-10 | Information Input Validation | Protects | T1546.002 | Screensaver |
| SI-3 | Malicious Code Protection | Protects | T1546.002 | Screensaver |
| SI-4 | System Monitoring | Protects | T1546.002 | Screensaver |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1546.002 | Screensaver |
| attribute.integrity.variety.Alter behavior | Influence or alter human behavior | related-to | T1546.002 | Event Triggered Execution Screensaver |