Boot or Logon Autostart Execution: Port Monitors

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.[1] This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot.[2]

Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following:

  • Local Port
  • Standard TCP/IP Port
  • USB Monitor
  • WSD Port
ID: T1547.010
Sub-technique of:  T1547
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Effective Permissions: SYSTEM
Contributors: Harun Küßner; Stefan Kanthak; Travis Smith, Tripwire
Version: 1.2
Created: 24 January 2020
Last Modified: 12 April 2024

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor newly constructed files that may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.

DS0011 Module Module Load

Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.

DS0009 Process OS API Execution

Monitor process API calls to AddMonitor.[1]

DS0024 Windows Registry Windows Registry Key Modification

Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism [3]

References