Potential Port Monitor or Print Processor Registration Abuse
Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint", "m365_defender"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
11processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
12persistence, if permissions allow writing a fully-qualified pathname for that DLL.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Port Monitor or Print Processor Registration Abuse"
19references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
20risk_score = 47
21rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Privilege Escalation",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30 "Data Source: Microsoft Defender for Endpoint",
31 "Resources: Investigation Guide",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37registry where host.os.type == "windows" and event.type == "change" and
38 registry.path : (
39 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
40 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
41 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
42 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
43 ) and registry.data.strings : "*.dll" and
44 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
45 not user.id : "S-1-5-18"
46'''
47note = """## Triage and analysis
48
49> **Disclaimer**:
50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
51
52### Investigating Potential Port Monitor or Print Processor Registration Abuse
53
54Port monitors and print processors are integral to Windows printing, managing data flow and processing print jobs. Adversaries exploit these by registering malicious DLLs, which execute with SYSTEM privileges at boot, enabling persistence and privilege escalation. The detection rule identifies registry changes in specific paths, focusing on non-SYSTEM user modifications, to flag potential abuse.
55
56### Possible investigation steps
57
58- Review the registry path specified in the alert to confirm the presence of any unauthorized or suspicious DLLs in the paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\* and HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*.
59- Identify the user account associated with the registry change by examining the user.id field, ensuring it is not the SYSTEM account (S-1-5-18), and determine if the account has a legitimate reason to modify these registry paths.
60- Check the file properties and digital signatures of the DLLs found in the registry paths to verify their legitimacy and identify any anomalies or signs of tampering.
61- Investigate the system's event logs around the time of the registry change to gather additional context, such as other activities performed by the same user or related processes that might indicate malicious behavior.
62- Conduct a threat intelligence search on the identified DLLs and any associated file hashes to determine if they are known to be associated with malicious activity or threat actors.
63- Assess the system for any signs of privilege escalation or persistence mechanisms that may have been established as a result of the registry modification, such as new services or scheduled tasks.
64
65### False positive analysis
66
67- Legitimate software installations or updates may modify print processor or port monitor registry paths. Users should verify if recent installations or updates coincide with the detected changes.
68- System administrators performing maintenance or configuration changes might trigger alerts. Ensure that such activities are documented and cross-referenced with the alert timestamps.
69- Some third-party printing solutions may register their own DLLs in these registry paths. Identify and whitelist these known applications to prevent unnecessary alerts.
70- Automated scripts or management tools that modify printer settings could cause false positives. Review and adjust these tools to ensure they operate under expected user accounts or exclude their known behaviors.
71- Regularly review and update the exclusion list to include any new benign applications or processes that interact with the monitored registry paths.
72
73### Response and remediation
74
75- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
76- Terminate any suspicious processes associated with the malicious DLLs identified in the registry paths to halt their execution.
77- Remove the unauthorized DLL entries from the registry paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\* and HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\* to eliminate persistence mechanisms.
78- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
79- Review and reset credentials for any accounts that may have been compromised, especially those with elevated privileges, to prevent unauthorized access.
80- Implement application whitelisting to prevent unauthorized DLLs from executing, focusing on the paths identified in the alert.
81- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected, ensuring comprehensive threat containment and eradication."""
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1547"
88name = "Boot or Logon Autostart Execution"
89reference = "https://attack.mitre.org/techniques/T1547/"
90[[rule.threat.technique.subtechnique]]
91id = "T1547.010"
92name = "Port Monitors"
93reference = "https://attack.mitre.org/techniques/T1547/010/"
94
95[[rule.threat.technique.subtechnique]]
96id = "T1547.012"
97name = "Print Processors"
98reference = "https://attack.mitre.org/techniques/T1547/012/"
99
100
101
102[rule.threat.tactic]
103id = "TA0004"
104name = "Privilege Escalation"
105reference = "https://attack.mitre.org/tactics/TA0004/"
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1547"
110name = "Boot or Logon Autostart Execution"
111reference = "https://attack.mitre.org/techniques/T1547/"
112[[rule.threat.technique.subtechnique]]
113id = "T1547.010"
114name = "Port Monitors"
115reference = "https://attack.mitre.org/techniques/T1547/010/"
116
117[[rule.threat.technique.subtechnique]]
118id = "T1547.012"
119name = "Print Processors"
120reference = "https://attack.mitre.org/techniques/T1547/012/"
121
122
123
124[rule.threat.tactic]
125id = "TA0003"
126name = "Persistence"
127reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Port Monitor or Print Processor Registration Abuse
Port monitors and print processors are integral to Windows printing, managing data flow and processing print jobs. Adversaries exploit these by registering malicious DLLs, which execute with SYSTEM privileges at boot, enabling persistence and privilege escalation. The detection rule identifies registry changes in specific paths, focusing on non-SYSTEM user modifications, to flag potential abuse.
Possible investigation steps
- Review the registry path specified in the alert to confirm the presence of any unauthorized or suspicious DLLs in the paths: HKLM\SYSTEM*ControlSet*\Control\Print\Monitors* and HKLM\SYSTEM*ControlSet*\Control\Print\Environments\Windows*\Print Processors*.
- Identify the user account associated with the registry change by examining the user.id field, ensuring it is not the SYSTEM account (S-1-5-18), and determine if the account has a legitimate reason to modify these registry paths.
- Check the file properties and digital signatures of the DLLs found in the registry paths to verify their legitimacy and identify any anomalies or signs of tampering.
- Investigate the system's event logs around the time of the registry change to gather additional context, such as other activities performed by the same user or related processes that might indicate malicious behavior.
- Conduct a threat intelligence search on the identified DLLs and any associated file hashes to determine if they are known to be associated with malicious activity or threat actors.
- Assess the system for any signs of privilege escalation or persistence mechanisms that may have been established as a result of the registry modification, such as new services or scheduled tasks.
False positive analysis
- Legitimate software installations or updates may modify print processor or port monitor registry paths. Users should verify if recent installations or updates coincide with the detected changes.
- System administrators performing maintenance or configuration changes might trigger alerts. Ensure that such activities are documented and cross-referenced with the alert timestamps.
- Some third-party printing solutions may register their own DLLs in these registry paths. Identify and whitelist these known applications to prevent unnecessary alerts.
- Automated scripts or management tools that modify printer settings could cause false positives. Review and adjust these tools to ensure they operate under expected user accounts or exclude their known behaviors.
- Regularly review and update the exclusion list to include any new benign applications or processes that interact with the monitored registry paths.
Response and remediation
- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
- Terminate any suspicious processes associated with the malicious DLLs identified in the registry paths to halt their execution.
- Remove the unauthorized DLL entries from the registry paths: HKLM\SYSTEM*ControlSet*\Control\Print\Monitors* and HKLM\SYSTEM*ControlSet*\Control\Print\Environments\Windows*\Print Processors* to eliminate persistence mechanisms.
- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
- Review and reset credentials for any accounts that may have been compromised, especially those with elevated privileges, to prevent unauthorized access.
- Implement application whitelisting to prevent unauthorized DLLs from executing, focusing on the paths identified in the alert.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected, ensuring comprehensive threat containment and eradication.
References
Related rules
- Creation or Modification of a new GPO Scheduled Task or Service
- Persistence via PowerShell profile
- Persistence via TelemetryController Scheduled Task Hijack
- Potential Escalation via Vulnerable MSI Repair
- Potential Exploitation of an Unquoted Service Path Vulnerability