T1547.010SubTechniquepersistenceprivilege-escalationagent-callable

T1547.010Port Monitors

Sub-technique of T1547

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. The Registry key contains entries for the following: * Local Port * Standard TCP/IP Port * USB Monitor * WSD Port Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

ATT&CK tactics· 2

PersistencePrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1547/010
  2. https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
  3. http://msdn.microsoft.com/en-us/library/dd183341
  4. https://technet.microsoft.com/en-us/sysinternals/bb963902
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.