← Back to Explore
T1547.010
Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if ...
Windows
6
Detections
3
Sources
0
Threat Actors
BY SOURCE
4sigma1elastic1splunk_escu
PROCEDURES (4)
Persist3 detections
Auto-extracted: 3 detections for persist
Registry1 detections
Auto-extracted: 1 detections for registry
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring
Process Creation Monitoring1 detections
Auto-extracted: 1 detections for process creation monitoring
DETECTIONS (6)
Add Port Monitor Persistence in Registry
sigmamedium
Bypass UAC Using Event Viewer
sigmahigh
Default RDP Port Changed to Non Standard Port
sigmahigh
Monitor Registry Keys for Print Monitors
splunk_escu
Potential Port Monitor or Print Processor Registration Abuse
elasticmedium
Potential Suspicious Activity Using SeCEdit
sigmamedium