Add Port Monitor Persistence in Registry

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1547.010  ·
Share on: linkedin copy

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Sigma rule (View on GitHub)

 1title: Add Port Monitor Persistence in Registry
 2id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
 3status: test
 4description: |
 5    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
 6    A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
 9author: frack113
10date: 2021-12-30
11modified: 2024-03-25
12tags:
13    - attack.privilege-escalation
14    - attack.persistence
15    - attack.t1547.010
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains: '\Control\Print\Monitors\'
22        Details|endswith: '.dll'
23    filter_optional_cutepdf:
24        Image: 'C:\Windows\System32\spoolsv.exe'
25        TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
26        Details: 'cpwmon64_v40.dll'
27        User|contains: # covers many language settings
28            - 'AUTHORI'
29            - 'AUTORI'
30    filter_optional_monvnc:
31        TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
32    filter_optional_vnc:
33        TargetObject|contains|all:
34            - 'Control\Print\Environments\'
35            - '\Drivers\'
36            - '\VNC Printer'
37    condition: selection and not 1 of filter_optional_*
38falsepositives:
39    - Unknown
40level: medium

References

Related rules

to-top