T1547.010: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot.
Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-1360: Suspicious_Registry_Value: Windows Registry abuse. This is often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, data collection, and other malicious activity.
Detection
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor newly constructed files that may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. |
|---|
| ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor process API calls to |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor Registry writes to |
|---|
| ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. |
|---|