Skip to content

Hide Navigation Hide TOC

Add Port Monitor Persistence in Registry (944e8941-f6f6-4ee8-ac05-1c224e923c0e)

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Cluster A Galaxy A Cluster B Galaxy B Level
Port Monitors - T1547.010 (43881e51-ac74-445b-b4c6-f9f9e9bf23fe) Attack Pattern Add Port Monitor Persistence in Registry (944e8941-f6f6-4ee8-ac05-1c224e923c0e) Sigma-Rules 1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Port Monitors - T1547.010 (43881e51-ac74-445b-b4c6-f9f9e9bf23fe) Attack Pattern 2