216.73.216.215

T1546.002: Screensaver

View on MITRE ATT&CK The MITRE Corporation · Published 24/01/2020 14:51 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID
T1546.002
Confidence
100/100
Revoked
No
Published
24/01/2020 14:51
Modified
27/03/2026 01:12
Author / Source
The MITRE Corporation

Platforms

windows

Description

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in `C:\Windows\System32\`, and `C:\Windows\sysWOW64\` on 64-bit Windows systems, along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (`HKCU\Control Panel\Desktop\`) and could be manipulated to achieve persistence: * `SCRNSAVE.exe` - set to malicious PE path * `ScreenSaveActive` - set to '1' to enable the screensaver * `ScreenSaverIsSecure` - set to '0' to not require a password to unlock * `ScreenSaveTimeout` - sets user inactivity timeout before screensaver is executed Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)

Kill chain phases

Kill chainPhase
mitre-attack persistence
mitre-attack privilege-escalation

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references