Installation of Port Monitor¶
A port monitors can be registered by calling the AddMonitor
API with a path to a DLL. This functionality can be abused by attackers to establish persistence.
id: | dce405ba-0f30-4278-b6c6-80d57847ba6b |
---|---|
categories: | hunt |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Privilege Escalation, Persistence |
---|---|
techniques: | T1013 Port Monitors |
Query¶
registry where registry_path == "*ControlSet*\\Control\\Print\\Monitors*"