Screensaver

Information

• Name: Screensaver

• ID: T1546.002

• Tactics: ,

• Technique:

Introduction

Screensaver (T1546.002) is a sub-technique within the MITRE ATT&CK framework under the broader Persistence technique T1546 (Event Triggered Execution). It involves adversaries leveraging screensaver settings and executables to maintain persistence on compromised systems. Attackers typically modify registry settings or replace legitimate screensaver files to execute malicious payloads whenever the screensaver activates, allowing them to persistently execute code even after system reboots or user logoffs.

Deep Dive Into Technique

The Screensaver sub-technique exploits the Windows operating system's built-in screensaver functionality. By default, Windows executes a screensaver executable (.scr file) after a predefined period of user inactivity. Attackers can manipulate this functionality through several methods:

• Registry Modification:

  • Attackers may modify registry keys associated with screensaver settings, primarily located in:

    Copy

    HKCU\Control Panel\Desktop

    or

    Copy

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  • Commonly modified registry values include:

    • SCRNSAVE.EXE: Specifies the executable screensaver file.

    • ScreenSaveTimeOut: Defines the idle time before the screensaver activates.

    • ScreenSaverIsSecure: Determines whether a password is required after screensaver activation.

• Malicious Screensaver Files:

  • Attackers may replace legitimate screensaver executables (usually stored in %SystemRoot%\System32\) with malicious copies having the .scr extension.

  • Malicious .scr files are typically executable PE files renamed to .scr and can execute arbitrary code.

• Execution Mechanism:

  • When the screensaver triggers due to inactivity, the malicious executable runs automatically with the privileges of the logged-in user.

  • This approach provides persistence across reboots and logoffs, as the screensaver settings remain persistent in the registry.

• Stealth and Evasion:

  • Attackers often hide malicious .scr files in legitimate system directories or mimic legitimate screensaver names (e.g., "scrnsave.scr", "ssText3d.scr") to evade detection.

  • They may also use obfuscation techniques or packers to evade antivirus detection.

When this Technique is Usually Used

Attackers commonly use the Screensaver sub-technique during the persistence phase of their attack lifecycle, enabling them to maintain access to compromised systems over extended periods. Typical scenarios include:

• Initial Access and Persistence:

  • After initial compromise through phishing, social engineering, or exploitation of vulnerabilities, attackers use screensaver modifications to establish persistent footholds.

• Privilege Escalation and Lateral Movement:

  • Attackers may leverage screensaver persistence after escalating privileges or moving laterally within a network environment to maintain prolonged access to critical systems.

• Long-term Espionage Campaigns:

  • Advanced Persistent Threat (APT) groups frequently use this technique to ensure ongoing access for data exfiltration or reconnaissance over extended periods.

• Insider Threat Scenarios:

  • Malicious insiders may configure screensaver persistence to maintain covert access to sensitive systems within an organization.

How this Technique is Usually Detected

Detection of the Screensaver persistence sub-technique involves monitoring system behaviors, registry modifications, and file activities. Common detection methods include:

• Registry Monitoring:

  • Monitor registry keys and values associated with screensaver settings:

    • HKCU\Control Panel\Desktop\SCRNSAVE.EXE

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  • Tools such as Sysmon, Windows Event Logs, and Endpoint Detection and Response (EDR) solutions can track registry changes.

• File Integrity Monitoring (FIM):

  • Implement FIM to detect unauthorized changes or additions of .scr files in system directories like %SystemRoot%\System32\.

  • Tools such as Tripwire, OSSEC, or built-in Windows auditing features can detect unauthorized file modifications.

• Process Execution Monitoring:

  • Monitor anomalous or unexpected execution of .scr files, especially those executing from unusual locations or at unusual times.

  • Endpoint protection tools and EDR platforms can detect and alert on suspicious process activities.

• Behavioral Analysis and Threat Hunting:

  • Conduct regular threat hunting exercises focusing on unusual screensaver activity, abnormal registry modifications, or unexpected persistence mechanisms.

  • Analyze logs for anomalies related to screensaver execution patterns.

Indicators of Compromise (IoCs)

• Unexpected registry modifications:

  • Changes to SCRNSAVE.EXE registry value.

  • New .scr files appearing in system directories.

• Suspicious .scr files executing from unusual locations.

• Unusual outbound network connections initiated by screensaver processes.

Why it is Important to Detect This Technique

Detecting Screensaver persistence is critical due to the following potential impacts and risks:

• Persistent Unauthorized Access:

  • Attackers gain persistent, covert access to victim systems, enabling long-term espionage, data theft, or sabotage.

• Privilege Abuse:

  • Malicious screensaver executables run with the privileges of the logged-in user, potentially allowing attackers to escalate privileges or access sensitive resources.

• Data Exfiltration and Espionage:

  • Persistent access facilitates ongoing data harvesting, intellectual property theft, or espionage activities, posing significant risks to organizational security and confidentiality.

• Difficulty in Remediation:

  • Undetected persistence mechanisms significantly complicate incident response and remediation efforts, allowing attackers to quickly regain access after initial remediation attempts.

• Early Warning of Advanced Threats:

  • Detecting screensaver persistence can be an early indicator of a broader compromise, enabling security teams to respond proactively before attackers achieve further objectives.

Examples

Real-world examples and scenarios involving the Screensaver persistence sub-technique include:

• APT10 (MenuPass):

  • APT10 leveraged modified screensaver files to maintain persistence on victim systems, replacing legitimate .scr files with malicious payloads to execute backdoor commands upon activation.

• FIN7 Cybercrime Group:

  • FIN7 attackers have been observed using malicious .scr files delivered through phishing campaigns to establish persistence on targeted retail and hospitality organizations, facilitating credit card data theft and financial fraud.

• Operation Cleaver:

  • Operation Cleaver threat actors utilized screensaver persistence mechanisms by modifying registry settings to execute malicious .scr files, enabling long-term espionage activities targeting critical infrastructure sectors.

• Insider Threat Scenario:

  • A malicious insider configured a custom screensaver executable to execute unauthorized scripts, granting persistent covert access to sensitive corporate data and systems.

In these cases, attackers used standard Windows functionality combined with registry and file manipulation to achieve persistent access, highlighting the importance of proactive monitoring, detection, and response capabilities against this sub-technique.