MITRE ATT&CK Technique
Description
A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. The Registry key contains entries for the following: * Local Port * Standard TCP/IP Port * USB Monitor * WSD Port Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:26.057Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'A port monitor can be set through the (Citation: AddMonitor) '
'API call to set a DLL to be loaded at startup. (Citation: '
'AddMonitor) This DLL can be located in '
'<code>C:\\Windows\\System32</code> and will be loaded by the '
'print spooler service, spoolsv.exe, on boot. The spoolsv.exe '
'process also runs under SYSTEM level permissions. (Citation: '
'Bloxham) Alternatively, an arbitrary DLL can be loaded if '
'permissions allow writing a fully-qualified pathname for that '
'DLL to '
'<code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>. \n'
'\n'
'The Registry key contains entries for the following:\n'
'\n'
'* Local Port\n'
'* Standard TCP/IP Port\n'
'* USB Monitor\n'
'* WSD Port\n'
'\n'
'Adversaries can use this technique to load malicious code at '
'startup that will persist on system reboot and execute as '
'SYSTEM.',
'external_references': [{'external_id': 'T1013',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1013'},
{'description': 'Microsoft. (n.d.). AddMonitor '
'function. Retrieved November 12, '
'2014.',
'source_name': 'AddMonitor',
'url': 'http://msdn.microsoft.com/en-us/library/dd183341'},
{'description': 'Bloxham, B. (n.d.). Getting Windows '
'to Play with Itself [PowerPoint '
'slides]. Retrieved November 12, '
'2014.',
'source_name': 'Bloxham',
'url': 'https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'}],
'id': 'attack-pattern--1f47e2fd-fa77-4f2f-88ee-e85df308f125',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:30.037Z',
'name': 'Port Monitors',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Stefan Kanthak', 'Travis Smith, Tripwire'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}