T1546.002 Screensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
SCRNSAVE.exe - set to malicious PE pathScreenSaveActive - set to ‘1’ to enable the screensaverScreenSaverIsSecure - set to ‘0’ to not require a password to unlockScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.
| Item |
Value |
| ID |
T1546.002 |
| Sub-techniques |
T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015 |
| Tactics |
TA0004, TA0003 |
| Platforms |
Windows |
| Permissions required |
User |
| Version |
1.0 |
| Created |
24 January 2020 |
| Last Modified |
20 April 2022 |
Procedure Examples
| ID |
Name |
Description |
| S0168 |
Gazer |
Gazer can establish persistence through the system screensaver by configuring it to execute the malware. |
Mitigations
Detection
References