Find sigma rule
Attack: Boot or Logon Autostart Execution: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor
API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32
and will be loaded and run by the print spooler service, spoolsv.exe
, under SYSTEM level permissions on boot.(Citation: Bloxham)
Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver
value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
. The Registry key contains entries for the following:
- Local Port
- Standard TCP/IP Port
- USB Monitor
- WSD Port
MITRE
Tactic
- privilege-escalation
- persistence
technique
- T1547.010
Test : Add Port Monitor persistence in Registry
OS
- windows
Description:
Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
Executor
command_prompt
Sigma Rule
-
registry_set_add_port_monitor.yml (id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e)
-
registry_set_asep_reg_keys_modification_currentcontrolset.yml (id: f674e36a-4b91-431e-8aef-f8a96c2aca35)