cti/enterprise-attack/attack-pattern/attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae.json

{
    "type": "bundle",
    "id": "bundle--1ea8be44-d201-444e-9719-c8bc441df22a",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2018-01-16T16:13:52.465Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Screensaver",
            "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. (Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.exe is located in <code>C:\\Windows\\System32\\</code> along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (<code>HKCU\\Control Panel\\Desktop\\</code>) and could be manipulated to achieve persistence:\n\n*<code>SCRNSAVE.exe</code> - set to malicious PE path\n*<code>ScreenSaveActive</code> - set to '1' to enable the screensaver\n*<code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock\n*<code>ScreenSaverTimeout</code> - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)\n\nDetection: Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.\n\nPlatforms: Windows\n\nData Sources: Process Monitoring, Process command-line parameters, Windows Registry, File monitoring\n\nPermissions Required: User\n\nContributors: Bartosz Jerzman",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "persistence"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1180",
                    "external_id": "T1180"
                },
                {
                    "source_name": "Wikipedia Screensaver",
                    "description": "Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017.",
                    "url": "https://en.wikipedia.org/wiki/Screensaver"
                },
                {
                    "source_name": "ESET Gazer Aug 2017",
                    "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.",
                    "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_contributors": [
                "Bartosz Jerzman"
            ],
            "x_mitre_data_sources": [
                "Process Monitoring",
                "Process command-line parameters",
                "Windows Registry",
                "File monitoring"
            ],
            "x_mitre_permissions_required": [
                "User"
            ],
            "x_mitre_platforms": [
                "Windows"
            ]
        }
    ]
}