Screensaver - T1180 (2892b9ee-ca9f-4723-b332-0dc6e843a8ae)

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

SCRNSAVE.exe - set to malicious PE path
ScreenSaveActive - set to '1' to enable the screensaver
ScreenSaverIsSecure - set to '0' to not require a password to unlock
ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Screensaver - T1180 (2892b9ee-ca9f-4723-b332-0dc6e843a8ae)	Attack Pattern	Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf)	Attack Pattern	1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Screensaver - T1546.002 (ce4b7013-640e-48a9-b501-d0025a95f4bf)	Attack Pattern	2