Potential Port Monitor or Print Processor Registration Abuse

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/21"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
13processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
14persistence, if permissions allow writing a fully-qualified pathname for that DLL.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Port Monitor or Print Processor Registration Abuse"
21references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
22risk_score = 47
23rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30registry where host.os.type == "windows" and event.type in ("creation", "change") and
31  registry.path : (
32      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
33      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
34      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
35      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
36  ) and registry.data.strings : "*.dll" and
37  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
38  not user.id : "S-1-5-18"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1547"
46name = "Boot or Logon Autostart Execution"
47reference = "https://attack.mitre.org/techniques/T1547/"
48[[rule.threat.technique.subtechnique]]
49id = "T1547.010"
50name = "Port Monitors"
51reference = "https://attack.mitre.org/techniques/T1547/010/"
52
53
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1547"
63name = "Boot or Logon Autostart Execution"
64reference = "https://attack.mitre.org/techniques/T1547/"
65[[rule.threat.technique.subtechnique]]
66id = "T1547.010"
67name = "Port Monitors"
68reference = "https://attack.mitre.org/techniques/T1547/010/"
69
70
71
72[rule.threat.tactic]
73id = "TA0003"
74name = "Persistence"
75reference = "https://attack.mitre.org/tactics/TA0003/"

References

  • No “Game over” for the Winnti Group

    ESET researchers have discovered a new, modular backdoor that they named PipeMon and that was used by the Winnti Group against several South Korea- and Taiwan-based companies that develop MMO (Massively Multiplayer Online) games.


    Read More

Related rules

to-top