DET0154 Detect Screensaver-Based Persistence via Registry and Execution Chains

Item	Value
ID	DET0154
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.002 (Screensaver)

Analytics

Windows

AN0441

Unusual screensaver (.scr) executions correlated with recent registry modifications to HKCU\Control Panel\Desktop values such as SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection focuses on PE image paths not consistent with known legitimate screensavers and triggered after user inactivity timeout.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14

Mutable Elements

Field	Description
TimeWindow	Adjust the user inactivity threshold that defines ‘screensaver trigger window’; shorter timeouts may increase sensitivity.
SuspiciousPathRegex	Allow tuning based on expected paths for legitimate .scr files vs suspicious locations (e.g., user temp directories).
ParentProcessAllowList	Allowlisting known legitimate initiators of .scr files (e.g., user32.dll context) to reduce false positives.
RegistryEditorProcessName	Monitor for registry modification performed by unusual processes (e.g., powershell.exe, reg.exe).