Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0204: Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)

DET0204 is a MITRE detection strategy object for identifying persistence or privilege escalation through Windows Port Monitors, where a DLL can be loaded b...

EnterpriseDET0204Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0204 is a MITRE detection strategy object for identifying persistence or privilege escalation through Windows Port Monitors, where a DLL can be loaded by the print spooler service, spoolsv.exe, at boot under SYSTEM permissions. The business issue is not just malware on a host; it is a privileged persistence point that can survive reboot and complicate containment, recovery, and audit confidence if endpoint and Windows service telemetry are incomplete.

Executive priority

Prioritize this as a resilience and incident-readiness validation item for Windows environments that rely on printing services. Leaders should ask whether SOC and IR teams can prove visibility into privileged DLL loading by spoolsv.exe, changes related to port monitor configuration, and suspicious DLL placement in sensitive Windows locations. Because the ATT&CK detection strategy has no official detection text supplied, coverage should be treated as something to validate with local telemetry rather than assumed from tool ownership.

Technical view

This detection strategy detects ATT&CK T1547.010 Port Monitors, associated with persistence and privilege escalation on Windows. Defenders should validate whether endpoint logging can show spoolsv.exe behavior at boot, DLL loads by the print spooler service, and changes that cause a port monitor DLL to be loaded. Triage should focus on unexpected or newly introduced DLLs loaded by spoolsv.exe, especially where the file location, signing, timing, or host role does not match the organization’s printing baseline. Because no official DET0204 detection logic is provided, teams should build and test detections from the related technique context rather than treating the strategy as implementation-ready.

Likely telemetry

  • Endpoint process telemetry for spoolsv.exe and service start behavior
  • Module or DLL load telemetry showing libraries loaded by spoolsv.exe
  • File creation or modification telemetry for DLLs in sensitive Windows directories such as C:\Windows\System32 when available
  • Windows configuration or system-change telemetry related to port monitor registration or AddMonitor-driven changes where collected
  • EDR enrichment such as file signer, hash, path, parent process, user context, and first-seen timestamps

Detection direction

  • Baseline legitimate spoolsv.exe DLL load patterns on print servers and workstations to reduce false positives from normal printer software and driver activity.
  • Alert on unusual or newly observed DLLs loaded by spoolsv.exe, especially when followed by SYSTEM-level execution context or occurring at boot.
  • Correlate DLL-load events with recent file writes, configuration changes, or administrative activity on the same host.
  • Separate higher-risk systems that require print services from systems where print spooler activity is unexpected or unnecessary.
  • Document blind spots: many environments do not collect module-load telemetry at scale, and the official ATT&CK object supplies no concrete detection logic.

Mitigation priorities

  • Confirm which Windows systems require print spooler and port monitor functionality and reduce unnecessary exposure where operationally feasible.
  • Restrict administrative capability to introduce or modify print-related components and monitor privileged changes.
  • Use allowlisting, file integrity monitoring, or controlled change processes for DLLs in sensitive Windows locations where practical.
  • Ensure incident response playbooks include persistence review for spoolsv.exe and port monitor-related artifacts after containment.
  • Use detection testing to produce compliance-ready evidence that privileged persistence paths are monitored, rather than relying on policy assertions.
Analyst notes and limits

The object itself is a detection strategy for T1547.010 but does not include an official description, detection procedure, platforms, or tactics. The practical guidance above is derived from the supplied relationship to the Port Monitors technique, which states that adversary-supplied DLLs may be loaded by spoolsv.exe at boot under SYSTEM permissions.

This take does not assert active exploitation, attribution, guaranteed detectability, or vendor coverage. Local validation is required because ATT&CK provides no DET0204 detection logic and the object platform fields are not specified; Windows relevance comes from the related T1547.010 technique context.

Official MITRE ATT&CK definition

Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1547.010 Port Monitors Sub-technique This object detects Port Monitors.
Relationship explorer

All related ATT&CK context

detects · Technique T1547.010: Port Monitors Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e4181157d9ddeabf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e4181157d9dd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0204
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use