Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

· SCRNSAVE.exe - set to malicious PE path

· ScreenSaveActive - set to '1' to enable the screensaver

· ScreenSaverIsSecure - set to '0' to not require a password to unlock

· ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.

In this example we will establish persistence with the use of our Screen Saver the current path for the current Screen Saver that is loaded depending on the idle time (1 minute here) will be loaded when the user is inactive during that certain amount of time.

We can see the current value of the Key to what screensaver it is pointing to, if you notice it is using the .scr extension no worries this is just another form of executable so changing the extension name of your payload will work fine as well.

We can vie other key values as well:

Screensaver is Active

Screensavers Timeout (usually this is in seconds)

SCRNSAVE.EXE - The binary it is loading when the idle time has been reached

All that we wish to accomplish in this situation is have the screensaver point to our payload. We do not need Administrator privileges in this matter as any user can setup their own screensaver as they would like.

We wait for the 60 seconds (1 min) to pass an we should receive a shell back to our attacking machine.


Last updated