Local Port Monitor

From ATT&CK
Jump to: navigation, search
Local Port Monitor
Technique
ID T1013
Tactic Persistence, Privilege Escalation
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required Administrator, SYSTEM
Effective Permissions SYSTEM
Data Sources File monitoring, API monitoring, DLL monitoring, Windows Registry, Process monitoring
Contributors Stefan Kanthak

A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.1 This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot.2 Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.2 The spoolsv.exe process also runs under SYSTEM level permissions.

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

Mitigation

Identify and block potentially malicious software that may persist in this manner by using whitelisting3 tools capable of monitoring DLL loads by processes running under SYSTEM permissions.

Detection

  • Monitor process API calls to AddMonitor.
  • Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal.
  • New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
  • Monitor registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
  • Run the Autoruns utility, which checks for this Registry key as a persistence mechanism4