Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Port Monitors

A port monitor can be set through the [1] API call to set a DLL to be loaded at startup. [1] This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. [2] Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following: Local Port Standard TCP/IP Port USB Monitor WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

ID: T1013

Tactic: Persistence, Privilege Escalation

Platform:  Windows

Permissions Required:  Administrator, SYSTEM

Effective Permissions:  SYSTEM

Data Sources:  File monitoring, API monitoring, DLL monitoring, Windows Registry, Process monitoring

Contributors:  Stefan Kanthak, Travis Smith, Tripwire

Version: 1.0

Mitigation

Identify and block potentially malicious software that may persist in this manner by using whitelisting [3] tools capable of monitoring DLL loads by processes running under SYSTEM permissions.

Detection

  • Monitor process API calls to [1].
  • Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal.
  • New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
  • Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
  • Run the Autoruns utility, which checks for this Registry key as a persistence mechanism [4]

References