|Registry Run Keys / Startup Folder
|Winlogon Helper DLL
|Security Support Provider
|Kernel Modules and Extensions
|XDG Autostart Entries
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the
AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in
C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to
The Registry key contains entries for the following:
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Monitor newly constructed files that may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
|OS API Execution
Monitor process API calls to
|Windows Registry Key Modification
Monitor Registry writes to