Detect Screensaver in Microsoft Sentinel
Adversaries may establish persistence by modifying the Windows screensaver configuration. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. Adversaries can abuse this by modifying the SCRNSAVE.EXE registry value in HKCU\Control Panel\Desktop to point to a malicious executable that runs whenever the screen saver activates.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.002 Screensaver
- Canonical reference
- https://attack.mitre.org/techniques/T1546/002/
KQL Detection Query
let ScreeSaverKeys = dynamic([
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKCU\\Control Panel\\Desktop"
]);
let ScreeSaverValues = dynamic(["SCRNSAVE.EXE", "ScreenSaveActive", "ScreenSaverIsSecure", "ScreenSaveTimeOut"]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Control Panel\\Desktop"
| where RegistryValueName in~ (ScreeSaverValues)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend IsScreeSaverPath = RegistryValueName =~ "SCRNSAVE.EXE"
| extend SuspiciousPath = RegistryValueData has_any (
"AppData", "Temp", "ProgramData", "Users\\Public",
"powershell", "cmd.exe", "wscript", "cscript", "rundll32"
)
| extend NotSystemScr = IsScreeSaverPath and not(RegistryValueData has_any (
"C:\\Windows\\system32\\",
"C:\\Windows\\SysWOW64\\"
))
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
RegistryValueName, RegistryValueData, SuspiciousPath, NotSystemScr,
InitiatingProcessFileName, InitiatingProcessCommandLine
| where SuspiciousPath or NotSystemScr
| sort by Timestamp descDetects modifications to Windows screensaver registry settings under HKCU\Control Panel\Desktop. Specifically monitors SCRNSAVE.EXE value changes pointing to non-system paths (outside Windows\system32 and SysWOW64) or to known LOLBin and scripting engine paths. Also flags concurrent changes to ScreenSaveActive and ScreenSaverIsSecure values that attackers modify to ensure the screensaver activates and bypasses the lock screen.
Data Sources
Required Tables
False Positives & Tuning
- Corporate desktop management tools (e.g., SCCM, Group Policy) that configure screensaver timeout and path centrally
- Legitimate third-party screensaver applications installed by users (e.g., 3D aquarium, slideshow screensavers) that install .scr files outside System32
- IT helpdesk tools that reset screensaver settings as part of standard baseline enforcement
- User-initiated changes through Windows Display Settings that write to the Control Panel\Desktop registry key
Other platforms for T1546.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Malicious Screensaver Path in Registry
Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKCU\Control Panel\Desktop\SCRNSAVE.EXE with Details=C:\Windows\System32\cmd.exe. Additional Event ID 13 records for ScreenSaveActive and ScreenSaveTimeOut. Security Event ID 4657 if registry auditing is enabled.
- Test 2Disable Screensaver Lock Screen for Silent Execution
Expected signal: Sysmon Event ID 13: TargetObject HKCU\Control Panel\Desktop\ScreenSaverIsSecure, Details=0. This should be correlated with concurrent SCRNSAVE.EXE changes.
- Test 3Deploy Fake Screensaver via AppData
Expected signal: Sysmon Event ID 11 (File Created): malicious.scr in AppData path. Sysmon Event ID 13: SCRNSAVE.EXE value set to AppData path. Both the file creation and registry modification events fire. The AppData path in the registry value is the primary detection trigger.
Unlock Pro Content
Get the full detection package for T1546.002 including response playbook, investigation guide, and atomic red team tests.