Adversaries may use screensaver binary file creation to establish persistence by executing malicious code when a user is inactive. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term persistence mechanisms.
Detection Rule
title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.scr'
filter_generic:
Image|endswith:
- '\Kindle.exe'
- '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
filter_tiworker:
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
Image|endswith: '\TiWorker.exe'
TargetFilename|endswith: '\uwfservicingscr.scr'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName endswith ".scr" and (not(((TargetFilePath endswith "\\Kindle.exe" or TargetFilePath endswith "\\Bin\\ccSvcHst.exe") or (TargetFilePath endswith "\\TiWorker.exe" and TargetFileName endswith "\\uwfservicingscr.scr"))))Scenario: Legitimate Screensaver Installation via Group Policy
Description: An administrator deploys a legitimate screensaver (e.g., mss32.exe) via Group Policy to enforce a company-wide screensaver policy.
Filter/Exclusion: Check the File field for known legitimate screensaver executables (e.g., mss32.exe, scrnsave.scr) and exclude files created by Group Policy or deployed via SCCM.
Scenario: Scheduled Job Creating Screensaver for User Inactivity
Description: A scheduled task is configured to run a script that generates a screensaver file (e.g., custom_screensaver.exe) to be used during user inactivity.
Filter/Exclusion: Filter by process name or file path to exclude known legitimate scheduled tasks (e.g., Task Scheduler or schtasks.exe) and check for associated job names or paths.
Scenario: Admin Task to Replace Default Screensaver
Description: An administrator replaces the default Windows screensaver with a custom one (e.g., customscr.exe) as part of a user experience improvement.
Filter/Exclusion: Exclude files created by administrative tools like gpedit.msc or regedit.exe, and filter by file names that match known enterprise screensaver deployments.
Scenario: User-Initiated Screensaver Creation via Registry Edit
Description: A user manually edits the registry to set a custom screensaver (e.g., scrnsave.scr) using regedit.exe or a third-party registry editor.
Filter/Exclusion: Exclude files created by registry editors or user-initiated registry changes, and check for registry keys like HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSave to validate legitimacy.
Scenario: Temporary Screensaver File Created by a Legitimate Application