Potential Port Monitor or Print Processor Registration Abuse
Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint", "m365_defender"]
4maturity = "production"
5updated_date = "2024/10/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
11processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
12persistence, if permissions allow writing a fully-qualified pathname for that DLL.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Port Monitor or Print Processor Registration Abuse"
19references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
20risk_score = 47
21rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Privilege Escalation",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30 "Data Source: Microsoft Defender for Endpoint",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type == "change" and
37 registry.path : (
38 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
39 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
40 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
41 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
42 ) and registry.data.strings : "*.dll" and
43 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
44 not user.id : "S-1-5-18"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1547"
52name = "Boot or Logon Autostart Execution"
53reference = "https://attack.mitre.org/techniques/T1547/"
54[[rule.threat.technique.subtechnique]]
55id = "T1547.010"
56name = "Port Monitors"
57reference = "https://attack.mitre.org/techniques/T1547/010/"
58
59[[rule.threat.technique.subtechnique]]
60id = "T1547.012"
61name = "Print Processors"
62reference = "https://attack.mitre.org/techniques/T1547/012/"
63
64
65
66[rule.threat.tactic]
67id = "TA0004"
68name = "Privilege Escalation"
69reference = "https://attack.mitre.org/tactics/TA0004/"
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1547"
74name = "Boot or Logon Autostart Execution"
75reference = "https://attack.mitre.org/techniques/T1547/"
76[[rule.threat.technique.subtechnique]]
77id = "T1547.010"
78name = "Port Monitors"
79reference = "https://attack.mitre.org/techniques/T1547/010/"
80
81[[rule.threat.technique.subtechnique]]
82id = "T1547.012"
83name = "Print Processors"
84reference = "https://attack.mitre.org/techniques/T1547/012/"
85
86
87
88[rule.threat.tactic]
89id = "TA0003"
90name = "Persistence"
91reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
ESET researchers have discovered a new, modular backdoor that they named PipeMon and that was used by the Winnti Group against several South Korea- and Taiwan-based companies that develop MMO (Massively Multiplayer Online) games.
Read More
Related rules
- Potential LSA Authentication Package Abuse
- Suspicious Print Spooler SPL File Created
- Office Test Registry Persistence
- Component Object Model Hijacking
- Suspicious Module Loaded by LSASS