Skip to content

T1547.010 Port Monitors

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.2 This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.1 Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.

The Registry key contains entries for the following:

  • Local Port
  • Standard TCP/IP Port
  • USB Monitor
  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

Item Value
ID T1547.010
Sub-techniques T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015
Tactics TA0003, TA0004
Platforms Windows
Permissions required Administrator, SYSTEM
Version 1.1
Created 24 January 2020
Last Modified 20 April 2022

Detection

ID Data Source Data Component
DS0022 File File Creation
DS0011 Module Module Load
DS0009 Process OS API Execution
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint slides]. Retrieved November 12, 2014. 

  2. Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014. 

  3. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.