# Attachments: SCR Files SCR Files are screensaver files used by Windows for energy saving purposes. I will create a simply binary and changing the extension from EXE to SCR. Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. SCR files are screensaver files used by Windows for energy saving purposes. Screensavers are programs that execute after a configurable time of user inactivity and consists of Portable Executable (PE) files with a .scr file extension. The windows screensaver application scrnsave.scr is located in C:\Windows\System32, and C:\Windows\sysWOW64\ on 64-bit Windows systems. The screensaver settings are stored in the Registry (HKCU: Control Panel\Desktop\ ) and can also be manipulated for persistence. We can use Msfvenom, Phantom Evasion, Veil Framework or any tool that can generate a binary payload. As this file we will manipulate so that we can send it to our victim and have it executed. I will use a simple payload created from the msfvenom tool, I will save it as an EXE file and from the Attacker machine I can change the extension to .scr and we can compare both payloads even though the extension has change the functionality has not been affected. ![](/files/-MRh5qKrrEsSuiFLIeMM) I will transfer these files onto our Windows Box and we can see the small but very valuable difference. We can see that in the description information for the EXE file is described as an Application and the SCR file is described as a Screensaver. This is good as we can confuse our target into thinking this is a normal Screensaver File. ![](/files/-MRh5sEg47HlPqj-cZxb) We can see our payload running in the processes list ![](/files/-MRh5tAiF2aGi8nu2pEl) What about the SCR file? ![](/files/-MRh5u7lc3VzF0EYaRqF) Same results, but why is this??. Well scr extensions are also executables on a Windows machine we can go a bit more farther and try to make this a more credible file to open. Spoofed Extension and Icon has been switched. ![](/files/-MRh5vjpJGCmXs0CwD2k) In this Example I spoofed the Extension and switched the Icon image to a more credible or safer looking icon where the user might think this is a simple image but in the following demo we can see that this is an Executable that will connect us back to our attacking machine. **Demo:** ![](/files/-MRh5yGJDTjIJ5pxb7V-) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/initial-access/t1566-phishing/phishing-spearphishing-attachment/attachments-scr-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.