Boot or Logon Autostart Execution: Port Monitors (T1547.010)
Tactics: Persistence, Privilege Escalation · Platforms: Windows
The interactive view maps 1 detection strategy to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Boot or Logon Autostart Execution (T1547).
Overview
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.
Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following:
* Local Port * Standard TCP/IP Port * USB Monitor * WSD Port