T1546.002: Screensaver
Essential information
- MITRE technique ID
T1546.002- Confidence
- 100/100
- Revoked
- No
- Published
- 24/01/2020 14:51
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Platforms
windows
Description
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in `C:\Windows\System32\`, and `C:\Windows\sysWOW64\` on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (`HKCU\Control Panel\Desktop\`) and could be manipulated to achieve persistence:
* `SCRNSAVE.exe` - set to malicious PE path
* `ScreenSaveActive` - set to '1' to enable the screensaver
* `ScreenSaverIsSecure` - set to '0' to not require a password to unlock
* `ScreenSaveTimeout` - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.