Skip to content

DET0204 Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)

Item Value
ID DET0204
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1547.010 (Port Monitors)

Analytics

Windows

AN0580

Detects suspicious registry modifications under HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*\Driver, DLL loads by spoolsv.exe of non-standard or unsigned modules, and abnormal usage of the AddMonitor API by non-installation processes. This pattern often indicates an attempt to persist a malicious DLL via the print monitor mechanism, particularly when correlated with creation of files in C:\Windows\System32 not tied to known patches or installations.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
OS API Execution (DC0021) WinEventLog:Application API call to AddMonitor invoked by non-installer process
Mutable Elements
Field Description
TargetDLLDirectory Expected directory path for legitimate monitor DLLs (e.g., C:\Windows\System32)
SignedImageValidation Enable/disable signature validation on DLLs loaded by spoolsv.exe
UserContextScope Define whether only SYSTEM/user installs are expected to make changes to the port monitor registry keys
TimeWindow Timeframe between registry modification and subsequent spoolsv.exe DLL load
AddMonitorCallContext Filter on calling process of AddMonitor API to detect anomalies outside installer/updater