T1547.010 - Boot or Logon Autostart Execution: Port Monitors
Description from ATT&CK (opens in a new tab)
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the
AddMonitor
API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located inC:\Windows\System32
and will be loaded and run by the print spooler service,spoolsv.exe
, under SYSTEM level permissions on boot.(Citation: Bloxham)Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the
Driver
value of an existing or new arbitrarily named subkey ofHKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
. The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Atomic Tests
Atomic Test #1 - Add Port Monitor persistence in Registry
Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
Supported Platforms: Windows
auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:\Windows\System32 but an arbitrary DLL can be specified with the absolute path. | path | $PathToAtomicsFolder\T1547.010\bin\PortMonitor.dll |
Attack Commands: Run with command_prompt
! Elevation Required (e.g. root or admin)
reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
Cleanup Commands:
reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /f >nul 2>&1