Register to stream ATT&CKcon 2.0 October 29-30

Port Monitors

A port monitor can be set through the [1] API call to set a DLL to be loaded at startup. [1] This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. [2] Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.

The Registry key contains entries for the following:

  • Local Port
  • Standard TCP/IP Port
  • USB Monitor
  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

ID: T1013
Tactic: Persistence, Privilege Escalation
Platform: Windows
Permissions Required: Administrator, SYSTEM
Effective Permissions: SYSTEM
Data Sources: File monitoring, API monitoring, DLL monitoring, Windows Registry, Process monitoring
Contributors: Stefan Kanthak; Travis Smith, Tripwire
Version: 1.0

Procedure Examples

Name Description
APT38 APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system. [3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

  • Monitor process API calls to [1].
  • Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal.
  • New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
  • Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
  • Run the Autoruns utility, which checks for this Registry key as a persistence mechanism [4]

References