Skip to content

Local Port Monitor

Jump to bottom
Veramine edited this page Jul 7, 2017 · 3 revisions

A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The spoolsv.exe process also runs under SYSTEM level permissions. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. You can read more about this attacker tactic and its use in the wild at https://attack.mitre.org/wiki/Technique/T1013.

Veramine's detection engine highlights additions or modifications to registry keys under HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors as can be seen in the following example detection:

However, we have seen some instance of the AddMonitor API not write a Monitors registry entry. For example, if the DLL being loaded is not a valid print driver and/or does not export particular required functions, the Print Spooler will load and execute the potentially malicious DLL and then immediately unload it leaving no trace in the registry. It would be very difficult to discover this operation without a solution that tracks image loads. For this reason, the Veramine detection engine also highlights any unknown, new, or suspicious Print Spooler service DLL image loads. Here's an example where the Print Spooler loaded a new DLL for the first time at a particular customer:

The ricA5Hcd.dll in this particular case was a legitimate RICOH Printer Driver that happened to be unsigned, adding to the detection engine's suspicion of the file. When first installing the Veramine product, most of the Print Spooler unknown DLL image load detections will not be related to malware infections. Only over time as "normal" is automatically discovered will the fidelity of this detection algorithm improve. For this reason, detections from this algorithm are marked with "Low" severity and might be most useful when combined with other related indicators.

To assist customers in testing this detection mechanism, we created and uploaded a small exe that calls AddMonitor passing in the path c:\windows\system32\vplant.dll. To test the Veramine Local Port Monitor detection, we recommend copying a legitimate port monitor DLL to c:\windows\system32\vplant.dll and then executing the spoolsvMonitorPlant32.exe exe on a system where the Veramine sensor is installed. We can also make available a small rogue vplant.dll that writes to the debug log when loaded via AddMonitor but does not write to the registry.

Clone this wiki locally