MITRE ATT&CK Technique
Description
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence: * <code>SCRNSAVE.exe</code> - set to malicious PE path * <code>ScreenSaveActive</code> - set to '1' to enable the screensaver * <code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock * <code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Screensavers are programs that execute after a configurable '
'time of user inactivity and consist of Portable Executable '
'(PE) files with a .scr file extension.(Citation: Wikipedia '
'Screensaver) The Windows screensaver application scrnsave.scr '
'is located in <code>C:\\Windows\\System32\\</code>, and '
'<code>C:\\Windows\\sysWOW64\\</code> on 64-bit Windows '
'systems, along with screensavers included with base Windows '
'installations. \n'
'\n'
'The following screensaver settings are stored in the Registry '
'(<code>HKCU\\Control Panel\\Desktop\\</code>) and could be '
'manipulated to achieve persistence:\n'
'\n'
'* <code>SCRNSAVE.exe</code> - set to malicious PE path\n'
"* <code>ScreenSaveActive</code> - set to '1' to enable the "
'screensaver\n'
"* <code>ScreenSaverIsSecure</code> - set to '0' to not "
'require a password to unlock\n'
'* <code>ScreenSaveTimeout</code> - sets user inactivity '
'timeout before screensaver is executed\n'
'\n'
'Adversaries can use screensaver settings to maintain '
'persistence by setting the screensaver to run malware after a '
'certain timeframe of user inactivity. (Citation: ESET Gazer '
'Aug 2017)',
'external_references': [{'external_id': 'T1180',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1180'},
{'description': 'Wikipedia. (2017, November 22). '
'Screensaver. Retrieved December 5, '
'2017.',
'source_name': 'Wikipedia Screensaver',
'url': 'https://en.wikipedia.org/wiki/Screensaver'},
{'description': 'ESET. (2017, August). Gazing at '
'Gazer: Turla’s new second stage '
'backdoor. Retrieved September 14, '
'2017.',
'source_name': 'ESET Gazer Aug 2017',
'url': 'https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf'}],
'id': 'attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:33.235Z',
'name': 'Screensaver',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Bartosz Jerzman'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}