T1547.010 Port Monitors is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to the use of port monitors in Windows, which are typically employed to facilitate communication between the system and printers. These port monitors are responsible for handling print jobs and managing communication between the print spooler service and the printer.
Adversaries can exploit port monitors by replacing or adding a port monitor DLL via the Windows Registry, ensuring that their malicious code is executed with high privileges when the print spooler service starts during system boot. This allows attackers to maintain persistent access and potentially escalate privileges within the compromised system.
To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.
Adversaries exploit Windows port monitors to establish persistence and potentially escalate privileges by ensuring their malicious code executes during system boot with high-level permissions. Port monitors, integral to the printing process, are managed by the Print Spooler service (spoolsv.exe), which operates with SYSTEM-level privileges.
To leverage this, an adversary can register a custom port monitor that specifies a malicious DLL to be loaded at startup. This can be achieved by invoking the AddMonitor API call, designating the path to the malicious DLL. Alternatively, the adversary can directly modify the Windows Registry at HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors, creating a new subkey for their port monitor and setting its "Driver" value to the path of their malicious DLL. This DLL is typically placed in the C:\Windows\System32 directory to align with legitimate system files.
Upon the next system boot, the Print Spooler service loads all registered port monitor DLLs, including the malicious one, executing it with SYSTEM privileges. This grants the adversary persistent and elevated access to the system, allowing them to perform unauthorized actions and maintain control over the compromised environment.
This technique is particularly insidious because it abuses legitimate system functionality, making detection and mitigation challenging. Monitoring for unexpected modifications to the registry keys associated with port monitors and scrutinizing DLLs loaded by the Print Spooler service can aid in identifying such malicious activities.