Local Port Monitor
|Local Port Monitor|
|Tactic||Persistence, Privilege Escalation|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|Permissions Required||Administrator, SYSTEM|
|Data Sources||File monitoring, API monitoring, DLL monitoring, Windows Registry, Process monitoring|
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.1 This DLL must be located in
C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot.2 Adversaries can use this technique to load malicious code at startup that will persist on system reboot.
This same functionality is achieved by creating specifically formatted Registry keys at
- Monitor process API calls to AddMonitor.
- Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal.
- New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
- Monitor registry writes to
- Run the Autoruns utility, which checks for this Registry key as a persistence mechanism8
- Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014.
- Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint slides]. Retrieved November 12, 2014.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.