Boot or Logon Autostart Execution: Port Monitors (T1547.010)

Tactics: Persistence, Privilege Escalation · Platforms: Windows

The interactive view maps 1 detection strategy to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Boot or Logon Autostart Execution (T1547).

Overview

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.

Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following:

* Local Port * Standard TCP/IP Port * USB Monitor * WSD Port

Explore