Installation of Port Monitor

A port monitors can be registered by calling the AddMonitor API with a path to a DLL. This functionality can be abused by attackers to establish persistence.

id:dce405ba-0f30-4278-b6c6-80d57847ba6b
categories:hunt
confidence:low
os:windows
created:7/26/2019
updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation, Persistence
techniques:T1013 Port Monitors

Query

registry where registry_path == "*ControlSet*\\Control\\Print\\Monitors*"

Contributors