← Back to Explore
T1546.002
Screensaver
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Win...
Windows
8
Detections
3
Sources
0
Threat Actors
BY SOURCE
4sigma3elastic1splunk_escu
PROCEDURES (4)
Registry3 detections
Auto-extracted: 3 detections for registry
Persist3 detections
Auto-extracted: 3 detections for persist
Persist1 detections
Auto-extracted: 1 detections for persist
File Monitoring1 detections
Auto-extracted: 1 detections for file monitoring
DETECTIONS (8)
Path To Screensaver Binary Modified
sigmamedium
Screensaver Event Trigger Execution
splunk_escu
Screensaver Plist File Modified by Unexpected Process
elasticmedium
Suspicious ScreenSave Change by Reg.exe
sigmamedium
Suspicious Screensaver Binary File Creation
sigmamedium
Uncommon Registry Persistence Change
elasticmedium
Unexpected Child Process of macOS Screensaver Engine
elasticmedium
Writing Local Admin Share
sigmamedium