Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through theAddMonitorAPI call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located inC:\Windows\System32and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL toHKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL. | Path | C:\Path\AtomicRedTeam.dll |
reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZreg delete "hklm\system\currentcontrolset\control\print\monitors\ART"