DET0154: Detect Screensaver-Based Persistence via Registry and Execution Chains

This detection strategy is about finding persistence that abuses Windows screensaver behavior: a program can run after user inactivity, and ATT&CK links th...

EnterpriseDET0154Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

This detection strategy is about finding persistence that abuses Windows screensaver behavior: a program can run after user inactivity, and ATT&CK links this strategy to the Screensaver technique for persistence and privilege escalation. For leaders, the practical issue is that a low-visibility desktop configuration path can become an execution trigger, so coverage depends on whether endpoint, registry, and process telemetry are actually collected and reviewed.

Executive priority

Prioritize this as a Windows endpoint resilience and audit-evidence question: can the organization prove it monitors changes to screensaver-related configuration and the execution chains that follow? Because the supplied ATT&CK object has no official detection text and no platform listed on the detection strategy itself, leaders should not assume existing EDR or SIEM content covers it. Ask for evidence of coverage for the related Windows technique T1546.002, especially where persistence controls, incident response scoping, and compliance reporting depend on reliable endpoint telemetry.

Technical view

The ATT&CK relationship indicates this strategy detects T1546.002 Screensaver, associated with persistence and privilege escalation on Windows. SOC and detection engineering teams should validate monitoring for registry-based screensaver configuration changes and subsequent execution of .scr/PE content, including parent-child process context and file path context. Because the official detection field is not provided, teams should treat DET0154 as a coverage objective rather than a ready-made analytic and build local logic from observed Windows telemetry and approved administrative behavior.

Likely telemetry

Windows registry modification events for screensaver-related settings
Endpoint process creation events, including .scr execution
File metadata and path evidence for screensaver binaries or renamed PE content
Parent-child process relationships around screensaver execution
User/session inactivity or logon context where available

Detection direction

Validate that registry auditing or EDR telemetry captures screensaver configuration changes with user, host, timestamp, and value details.
Correlate screensaver-related registry changes with later execution of .scr or PE files, rather than relying on either signal alone.
Baseline legitimate enterprise screensaver management activity to reduce false positives from IT policy changes.
Review whether monitoring includes both standard Windows system locations referenced by the related technique context and nonstandard paths used for screensaver content.
Confirm detection coverage on Windows endpoints specifically; the detection strategy object itself does not list platforms, but the related ATT&CK technique does.

Mitigation priorities

Inventory approved screensaver policy and ownership before tuning detections.
Restrict unauthorized changes to screensaver-related configuration through standard endpoint and identity administration controls.
Ensure endpoint telemetry retention supports incident response timelines for registry changes and process execution chains.
Harden administrative change management so legitimate screensaver policy updates are documented and distinguishable from suspicious changes.
Add DET0154/T1546.002 coverage evidence to detection validation and compliance readiness materials where Windows endpoint persistence is in scope.

Analyst notes and limits

DET0154 is a detection strategy object for detecting Screensaver-based persistence via registry and execution chains. The available ATT&CK data provides the name, external reference, versioning, and a relationship to T1546.002 Screensaver. The strongest analytic value comes from validating telemetry and correlation around registry changes and subsequent execution, not from assuming a specific MITRE-provided detection rule.

The official description and official detection fields are not provided, and the detection strategy lists no platforms or tactics. Platform, tactic, and behavior context are inferred only from the supplied relationship to T1546.002, which is Windows and associated with persistence and privilege escalation. Local environment baselines are required to separate legitimate screensaver administration from suspicious persistence.

Official MITRE ATT&CK definition

Detect Screensaver-Based Persistence via Registry and Execution Chains

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1546.002	Screensaver Sub-technique	This object detects Screensaver.

Relationship explorer

All related ATT&CK context

detects · Technique T1546.002: Screensaver Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: c21b76b5a9df5d4e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`c21b76b5a9df…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0154
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use