T1547.010: Port Monitors
| View on MITRE ATT&CK | T1547.010 |
|---|---|
| Tactic(s) | Persistence, Privilege Escalation |
Data from MITRE ATT&CK®:
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
How to detect this technique
MITRE ATT&CK Data Components
Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)OS API Execution (Process)
Operating system function/method calls executed by a processModule Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.