We're updating the issue view to help you get more done. 

Port Monitors

Description

A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

  • Local Port

  • Standard TCP/IP Port

  • USB Monitor

  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

id

T1013

tactic

persistence

datasources

Process monitoring
File monitoring
API monitoring
Windows Registry
DLL monitoring

maturity

Not Tracked

Assignee

Unassigned
Configure