T1546.002 Screensaver Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ScreeSaverKeys = dynamic([
  "HKEY_CURRENT_USER\\Control Panel\\Desktop",
  "HKCU\\Control Panel\\Desktop"
]);
let ScreeSaverValues = dynamic(["SCRNSAVE.EXE", "ScreenSaveActive", "ScreenSaverIsSecure", "ScreenSaveTimeOut"]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Control Panel\\Desktop"
| where RegistryValueName in~ (ScreeSaverValues)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend IsScreeSaverPath = RegistryValueName =~ "SCRNSAVE.EXE"
| extend SuspiciousPath = RegistryValueData has_any (
    "AppData", "Temp", "ProgramData", "Users\\Public",
    "powershell", "cmd.exe", "wscript", "cscript", "rundll32"
  )
| extend NotSystemScr = IsScreeSaverPath and not(RegistryValueData has_any (
    "C:\\Windows\\system32\\",
    "C:\\Windows\\SysWOW64\\"
  ))
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
         RegistryValueName, RegistryValueData, SuspiciousPath, NotSystemScr,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| where SuspiciousPath or NotSystemScr
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Corporate desktop management tools (e.g., SCCM, Group Policy) that configure screensaver timeout and path centrally
Legitimate third-party screensaver applications installed by users (e.g., 3D aquarium, slideshow screensavers) that install .scr files outside System32
IT helpdesk tools that reset screensaver settings as part of standard baseline enforcement
User-initiated changes through Windows Display Settings that write to the Control Panel\Desktop registry key

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
| where match(TargetObject, "Control Panel\\\\Desktop")
| where match(TargetObject, "(SCRNSAVE\.EXE|ScreenSaveActive|ScreenSaverIsSecure|ScreenSaveTimeOut)")
| eval IsScrnsaveExe=if(match(TargetObject, "SCRNSAVE\.EXE"), 1, 0)
| eval SuspiciousPath=if(match(lower(Details), "(appdata|\\\\temp\\\\|programdata|public|powershell|cmd\.exe|wscript|cscript|rundll32)"), 1, 0)
| eval NotSystemPath=if(IsScrnsaveExe=1 AND NOT match(Details, "(?i)(windows\\\\system32|syswow64)"), 1, 0)
| where SuspiciousPath=1 OR NotSystemPath=1
| eval ScreenSaverFile=mvindex(split(Details, "\\\\"), -1)
| table _time, host, User, EventCode, TargetObject, Details, ScreenSaverFile, SuspiciousPath, NotSystemPath, Image, CommandLine
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 12 (RegistryEvent - Object Create/Delete) Sysmon Event ID 13 (RegistryEvent - Value Set)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Corporate desktop management tools configuring screensaver centrally via Group Policy
Third-party screensaver applications installing outside System32
IT baseline enforcement tools resetting screensaver settings
User-initiated changes through Windows Display Settings

Elastic Security (EQL)

eql

registry where event.type in ("creation", "change") and
  registry.path : ("*\\Control Panel\\Desktop\\SCRNSAVE.EXE", "*\\Control Panel\\Desktop\\ScreenSaveActive", "*\\Control Panel\\Desktop\\ScreenSaverIsSecure", "*\\Control Panel\\Desktop\\ScreenSaveTimeOut") and
  (
    (registry.path : "*SCRNSAVE.EXE" and not registry.data.strings : ("C:\\Windows\\system32\\*", "C:\\Windows\\SysWOW64\\*", "")) or
    registry.data.strings : ("*AppData*", "*\\Temp\\*", "*ProgramData*", "*\\Public\\*", "*powershell*", "*cmd.exe*", "*wscript*", "*cscript*", "*rundll32*")
  )

high severity high confidence

Data Sources

Windows Registry Sysmon (Event ID 12/13) Elastic Endpoint

Required Tables

registry

False Positives

Legitimate screensaver configuration tools or enterprise management software (e.g., Group Policy, SCCM) modifying these registry keys as part of policy enforcement
Power management or remote desktop software that adjusts ScreenSaveActive or ScreenSaveTimeOut to prevent screen lock during active sessions
Custom corporate screensavers deployed via IT that are stored in non-standard paths such as a network share or %ProgramFiles% subdirectory

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "TargetObject",
  "Details",
  "Image",
  "CommandLine",
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID IN (13, 14)
  AND "EventID" IN (12, 13)
  AND "TargetObject" ILIKE '%Control Panel%Desktop%'
  AND (
    "TargetObject" ILIKE '%SCRNSAVE.EXE%'
    OR "TargetObject" ILIKE '%ScreenSaveActive%'
    OR "TargetObject" ILIKE '%ScreenSaverIsSecure%'
    OR "TargetObject" ILIKE '%ScreenSaveTimeOut%'
  )
  AND (
    LOWER("Details") LIKE '%appdata%'
    OR LOWER("Details") LIKE '%\\temp\\%'
    OR LOWER("Details") LIKE '%programdata%'
    OR LOWER("Details") LIKE '%\\public\\%'
    OR LOWER("Details") LIKE '%powershell%'
    OR LOWER("Details") LIKE '%cmd.exe%'
    OR LOWER("Details") LIKE '%wscript%'
    OR LOWER("Details") LIKE '%cscript%'
    OR LOWER("Details") LIKE '%rundll32%'
    OR (
      "TargetObject" ILIKE '%SCRNSAVE.EXE%'
      AND LOWER("Details") NOT LIKE '%c:\\windows\\system32\\%'
      AND LOWER("Details") NOT LIKE '%c:\\windows\\syswow64\\%'
      AND "Details" <> ''
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Sysmon via Windows Event Forwarding WinCollect agent

Required Tables

events

False Positives

Enterprise deployment tools writing screensaver configuration as part of standardized desktop policy rollouts
Security baseline hardening scripts that set ScreenSaverIsSecure=1 or adjust timeout values system-wide
Remote monitoring and management (RMM) agents temporarily modifying ScreenSaveActive to prevent lockout during maintenance windows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=12 OR EventCode=13)
| where TargetObject matches "*Control Panel\\Desktop*"
| where TargetObject matches "*SCRNSAVE.EXE*" OR TargetObject matches "*ScreenSaveActive*" OR TargetObject matches "*ScreenSaverIsSecure*" OR TargetObject matches "*ScreenSaveTimeOut*"
| eval IsScrnsaveExe = if(TargetObject matches "*SCRNSAVE.EXE*", 1, 0)
| eval DetailsLower = toLowerCase(Details)
| eval SuspiciousPath = if(
    DetailsLower matches "*appdata*" OR
    DetailsLower matches "*\\temp\\*" OR
    DetailsLower matches "*programdata*" OR
    DetailsLower matches "*\\public\\*" OR
    DetailsLower matches "*powershell*" OR
    DetailsLower matches "*cmd.exe*" OR
    DetailsLower matches "*wscript*" OR
    DetailsLower matches "*cscript*" OR
    DetailsLower matches "*rundll32*",
    1, 0
  )
| eval NotSystemPath = if(
    IsScrnsaveExe == 1
    AND !(DetailsLower matches "*windows\\system32*")
    AND !(DetailsLower matches "*syswow64*")
    AND Details != "",
    1, 0
  )
| where SuspiciousPath == 1 OR NotSystemPath == 1
| fields _messageTime, Computer, User, EventCode, TargetObject, Details, SuspiciousPath, NotSystemPath, Image, CommandLine
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows Sumo Logic Installed Collector with Windows Event Source

Required Tables

windows/sysmon

False Positives

Third-party screen lock or privacy software that installs a custom .scr file in a vendor application directory outside of system32
IT automation scripts that bulk-configure screensaver timeouts across endpoints using WMI or PowerShell, triggering on the CommandLine filter
Developer workstations where screensaver configuration is managed by dotfile management tools storing configs in AppData

Google Chronicle / SecOps

yaral

rule screensaver_persistence_t1546_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1546.002: Adversaries modifying Windows screensaver registry keys to achieve persistence via SCRNSAVE.EXE or related values pointing to malicious executables"
    mitre_attack_technique = "T1546.002"
    mitre_attack_tactic = "Privilege Escalation, Persistence"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /Control Panel\\Desktop/i
    (
      $e.target.registry.registry_value_name = /^SCRNSAVE\.EXE$/i or
      $e.target.registry.registry_value_name = /^ScreenSaveActive$/i or
      $e.target.registry.registry_value_name = /^ScreenSaverIsSecure$/i or
      $e.target.registry.registry_value_name = /^ScreenSaveTimeOut$/i
    )
    (
      re.regex($e.target.registry.registry_value_data, `(?i)(appdata|\\temp\\|programdata|\\public\\|powershell|cmd\.exe|wscript|cscript|rundll32)`) or
      (
        $e.target.registry.registry_value_name = /^SCRNSAVE\.EXE$/i and
        not re.regex($e.target.registry.registry_value_data, `(?i)c:\\windows\\(system32|syswow64)\\`) and
        $e.target.registry.registry_value_data != ""
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Event Logs via Chronicle Forwarder Sysmon via Chronicle ingestion Google SecOps UDM

Required Tables

registry (UDM normalized)

False Positives

Enterprise screensaver deployment via Intune or Active Directory Group Policy updating SCRNSAVE.EXE to a corporate-branded .scr stored in %ProgramFiles%
Legitimate power management software modifying ScreenSaveActive or ScreenSaveTimeOut to optimize battery or display behavior
Security compliance tooling setting ScreenSaverIsSecure=1 as part of CIS benchmark enforcement scripts running from %ProgramData% or %AppData%

CrowdStrike LogScale (CQL)

cql

#event_simpleName=RegSetValue
| TargetObjectName = /Control Panel\\Desktop/i
| TargetObjectName = /SCRNSAVE\.EXE|ScreenSaveActive|ScreenSaverIsSecure|ScreenSaveTimeOut/i
| IsScrnsaveExe := TargetObjectName = /SCRNSAVE\.EXE/i
| SuspiciousValue := TargetObjectValue = /(?i)(appdata|\\temp\\|programdata|\\public\\|powershell|cmd\.exe|wscript|cscript|rundll32)/
| NotSystemPath := IsScrnsaveExe == true AND TargetObjectValue != "" AND NOT TargetObjectValue = /(?i)c:\\windows\\(system32|syswow64)\\/
| SuspiciousValue == true OR NotSystemPath == true
| select([timestamp, ComputerName, UserName, TargetObjectName, TargetObjectValue, ImageFileName, CommandLine, IsScrnsaveExe, SuspiciousValue, NotSystemPath])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent Falcon RegSetValue events

Required Tables

RegSetValue (#event_simpleName)

False Positives

Falcon-visible GPO or Intune policy applications that write screensaver settings from SYSTEM or domain controller context, which may reference policy staging locations
Help desk or IT tools using remote registry modification APIs to standardize screensaver lock policies across the fleet
Software installers that bundle a screensaver component and register it from a non-system32 application directory during setup

Screensaver

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections