Skip to content

T1546.002 Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.2 The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

  • SCRNSAVE.exe - set to malicious PE path
  • ScreenSaveActive - set to ‘1’ to enable the screensaver
  • ScreenSaverIsSecure - set to ‘0’ to not require a password to unlock
  • ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.1

Item Value
ID T1546.002
Sub-techniques T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016
Tactics TA0004, TA0003
Platforms Windows
Permissions required User
Version 1.1
Created 24 January 2020
Last Modified 21 April 2023

Procedure Examples

ID Name Description
S0168 Gazer Gazer can establish persistence through the system screensaver by configuring it to execute the malware.1

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Use Group Policy to disable screensavers if they are unnecessary.3
M1038 Execution Prevention Block .scr files from being executed from non-standard locations.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Modification

References