Esc
There are no digital artifacts defined on this offensive technique (yet). Please consider contributing an addition to D3FEND.
Port Monitors - T1013
(ATT&CK® Technique)
Definition
A port monitor can be set through the API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32
and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
.
D3FEND Inferred Relationships
There are no digital artifacts defined on this offensive technique (yet). Please consider contributing an addition to D3FEND.