Potential Port Monitor or Print Processor Registration Abuse
Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
13processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
14persistence, if permissions allow writing a fully-qualified pathname for that DLL.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Port Monitor or Print Processor Registration Abuse"
21references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
22risk_score = 47
23rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30registry where host.os.type == "windows" and event.type in ("creation", "change") and
31 registry.path : (
32 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
33 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
34 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
35 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
36 ) and registry.data.strings : "*.dll" and
37 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
38 not user.id : "S-1-5-18"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1547"
46name = "Boot or Logon Autostart Execution"
47reference = "https://attack.mitre.org/techniques/T1547/"
48[[rule.threat.technique.subtechnique]]
49id = "T1547.010"
50name = "Port Monitors"
51reference = "https://attack.mitre.org/techniques/T1547/010/"
52[[rule.threat.technique.subtechnique]]
53id = "T1547.012"
54name = "Print Processors"
55reference = "https://attack.mitre.org/techniques/T1547/012/"
56
57
58
59[rule.threat.tactic]
60id = "TA0004"
61name = "Privilege Escalation"
62reference = "https://attack.mitre.org/tactics/TA0004/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1547"
67name = "Boot or Logon Autostart Execution"
68reference = "https://attack.mitre.org/techniques/T1547/"
69[[rule.threat.technique.subtechnique]]
70id = "T1547.010"
71name = "Port Monitors"
72reference = "https://attack.mitre.org/techniques/T1547/010/"
73[[rule.threat.technique.subtechnique]]
74id = "T1547.012"
75name = "Print Processors"
76reference = "https://attack.mitre.org/techniques/T1547/012/"
77
78
79
80[rule.threat.tactic]
81id = "TA0003"
82name = "Persistence"
83reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
ESET researchers have discovered a new, modular backdoor that they named PipeMon and that was used by the Winnti Group against several South Korea- and Taiwan-based companies that develop MMO (Massively Multiplayer Online) games.
Read More
Related rules
- Bypass UAC via Event Viewer
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Disabling User Account Control via Registry Modification