# SCR Files Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. SCR files are screensaver files used by Windows for energy saving purposes. Screensavers are programs that execute after a configurable time of user inactivity and consists of Portable Executable(PE) files with a `.scr` file extension. The Windows screensaver application scrnsave.scr is located in `C:\Windows\System32` , and `C;\Windoww\sysWOW64\` on 64-bit Windows systems. The screensaver settings are stored in the Registry (`HKCU:\Control Panel\Desktop\`) and can also be manipulated for persistence. We can use Msfvenom, Phantom Evasion, Veil Framework or any C2 that can generate a binary. As with this file we will manipulate so that we can send it to our user victims PC and have it get executed. I will use msfvenom to create a simple tcp reverse payload save it as en EXE file and from the Linux box I can always change the extension and keep the original file. We can see both file even the extensions have been changed they are still the executable files that as they are meant to be. ![](/files/-LxA93NyKbHdq7kjuOQd) I will move these onto a Windows Machine and we can see a small but very valuable difference. We can see that in the description information the EXE file is described as an Application and the SCR file is described as a Screensaver. I will show a few examples on how we can achieve a reverse Shell with these type's of files. ![Both payloads different extensions and different description](/files/-LxACmlMJ9qcBbCgOM1r) As we can see if we execute the EXE file we will get a call back on our listener setup on our Linux Box. ![task-list command on CMD](/files/-LxADQ2NceTiOiZXKEec) So what about our scr file? ![task-list command on CMD](/files/-LxADqhajW3hLIzXO_iK) We can verify that both file's gives us a call back to our listener, why is this? Well SCR extensions are also executables on a Windows machine we can go a bit more farther and try to make this more credible program to execute. ![Spoofed the extension and changed the Icon](/files/-LxAFMPtWseH39Ef-fka) Here I spoofed the Extension and went onto changing the Icon with this the file can look more credible and it does not change the file's description it also uses a more credible, Icon that makes the user believe this is an Image file being executed and with this execute and receive a call back onto our Listener, your creativity will help on your success. These types of procedures may help in the Delivery and Execution onto our user's machine, this file can be set on a remote server and download, can be compiled onto a Rar file and send via email to void detection or scans. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing/scr-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.