Port Monitors
A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
* Local Port
* Standard TCP/IP Port
* USB Monitor
* WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
Mitigations |
|
| Mitigation | Description |
|---|---|
| Port Monitors Mitigation |
Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions. |
Detection
* Monitor process API calls to (Citation: AddMonitor).
* Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal.
* New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
* Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
* Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.