T1546.002: Screensaver

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

* SCRNSAVE.exe - set to malicious PE path * ScreenSaveActive - set to '1' to enable the screensaver * ScreenSaverIsSecure - set to '0' to not require a password to unlock * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.[2]

EnterpriseT1546.002Sub-techniqueObject v1.3 Modified Oct 24, 2025, 17:49 UTC (UTC+00:00)

Screensaver persistence matters because it turns a normal Windows usability feature into a delayed execution point. A malicious .scr/PE path in the current user’s screensaver Registry settings can cause code to run after user inactivity, making the behavior easy to overlook if teams only monitor startup folders, services, or scheduled tasks.

Executive priority

Treat this as a Windows endpoint resilience and audit-evidence issue: can the organization prove that user-level persistence locations are monitored, that unauthorized executables are prevented from running, and that incident responders can quickly review affected user Registry settings? Priority is highest for environments where Windows workstations hold sensitive access, remain logged in for long periods, or have weak application control.

Technical view

This is a Windows sub-technique of Event Triggered Execution for persistence and privilege-escalation tactics. Validate coverage around HKCU\Control Panel\Desktop\ screensaver values, especially SCRNSAVE.exe, ScreenSaveActive, ScreenSaverIsSecure, and ScreenSaveTimeout, and correlate Registry changes with execution of .scr files or PE files from unusual paths. The related ATT&CK detection strategy DET0154 specifically frames detection around screensaver-based persistence via Registry and execution chains. Also account for the revoked predecessor T1180 when mapping older detections or reporting to ATT&CK IDs.

Likely telemetry

Windows Registry modification events for HKCU\Control Panel\Desktop\ screensaver values
Process execution telemetry for .scr files and associated PE execution
File path and hash metadata for configured screensaver executables
User context, host, and timestamp for Registry changes and subsequent execution
Endpoint detection or application control logs showing allowed or blocked screensaver execution

Detection direction

Baseline legitimate screensaver configuration changes and alert on SCRNSAVE.exe values pointing outside expected Windows screensaver locations or approved enterprise paths.
Correlate ScreenSaveActive/ScreenSaveTimeout changes with later execution of the configured screensaver binary after inactivity.
Tune for administrative software, endpoint management, or user personalization workflows that may legitimately change screensaver settings.
Check whether monitoring includes HKCU per-user Registry hives; machine-level monitoring alone can miss this technique.
Map detections to T1546.002 rather than revoked T1180 for current ATT&CK reporting, while retaining legacy mapping where needed.

Mitigation priorities

Prioritize execution prevention for unauthorized code, consistent with M1038, using application control or equivalent allowlisting to restrict unapproved .scr/PE execution.
Disable or remove unnecessary screensaver functionality where business requirements allow, consistent with M1042.
Harden standard endpoint configuration so password-protected lock behavior is not weakened by user-level changes.
Include screensaver Registry locations in endpoint hardening reviews, incident response triage, and compliance evidence collection.

Analyst notes and limits

The object includes no official ATT&CK detection text, so detection guidance is derived from the technique description and the supplied DET0154 relationship. The supplied software relationship notes Gazer uses this technique, but this take does not infer current activity, attribution, or exposure.

Coverage depends on local Windows logging, EDR visibility, application control policy, and whether per-user Registry changes are collected. ATT&CK fields support Windows only for this sub-technique; no claims are made for other platforms.

Official MITRE ATT&CK definition

Screensaver

The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1546	Event Triggered Execution	This object subtechnique of Event Triggered Execution.
Enterprise	T1180	Screensaver	Screensaver revoked by this object.

Associated objects

Groups, software, and campaigns

S0168: Gazer

Gazer is a backdoor used by Turla since at least 2016. [1]

Windows

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1038: Execution Prevention Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise detects · Detection Strategy DET0154: Detect Screensaver-Based Persistence via Registry and Execution Chains Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise uses · Malware S0168: Gazer Enterprise revoked by · Technique T1180: Screensaver Enterprise

Mitigations

Mitigation direction

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.3
Created: Jan 24, 2020, 13:51 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: 5e583cfd707f057e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.3	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`5e583cfd707f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Wikipedia Screensaver

Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017.
Open source URL
[2]
ESET Gazer Aug 2017

ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
Open source URL
[3]
mitre-attack T1546.002
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use