Details

    • Type: Task
    • Status: To Do
    • Priority: Medium
    • Resolution: Unresolved
    • Labels:
      None

      Description

      A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

      The Registry key contains entries for the following:

      • Local Port
      • Standard TCP/IP Port
      • USB Monitor
      • WSD Port

      Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Mauricio V.
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: