T1547.010 Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor
API call to set a DLL to be loaded at startup.2 This DLL can be located in C:\Windows\System32
and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.1 Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
.
The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
Item | Value |
---|---|
ID | T1547.010 |
Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
Tactics | TA0003, TA0004 |
Platforms | Windows |
Permissions required | Administrator, SYSTEM |
Version | 1.1 |
Created | 24 January 2020 |
Last Modified | 20 April 2022 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0011 | Module | Module Load |
DS0009 | Process | OS API Execution |
DS0024 | Windows Registry | Windows Registry Key Modification |