1. Home
  2. ATT&CK Techniques
  3. T1546
  4. T1546.002
Privilege Escalation Persistence

T1546.002: Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po...

T1546.002 · Sub-technique ·1 platforms

Description

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

SCRNSAVE.exe - set to malicious PE path ScreenSaveActive - set to '1' to enable the screensaver ScreenSaverIsSecure - set to '0' to not require a password to unlock ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)

Platforms

Windows

Mitigations (2)

Execution PreventionM1038

Block .scr files from being executed from non-standard locations.

Disable or Remove Feature or ProgramM1042

Use Group Policy to disable screensavers if they are unnecessary.(Citation: TechNet Screensaver GP)

Associated Software (1)

IDNameTypeContext
S0168GazerMalware[Gazer](https://attack.mitre.org/software/S0168) can establish persistence through the system screensaver by configuring it to execute the malware.(Ci...

References

Frequently Asked Questions

What is T1546.002 (Screensaver)?

T1546.002 is a MITRE ATT&CK technique named 'Screensaver'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Po...

How can T1546.002 be detected?

Detection of T1546.002 (Screensaver) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1546.002?

There are 2 documented mitigations for T1546.002. Key mitigations include: Execution Prevention, Disable or Remove Feature or Program.

Which threat groups use T1546.002?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.