Potential Port Monitor or Print Processor Registration Abuse

Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/21"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/05"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
11processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
12persistence, if permissions allow writing a fully-qualified pathname for that DLL.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Port Monitor or Print Processor Registration Abuse"
19references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
20risk_score = 47
21rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
22severity = "medium"
23tags = [
24    "Domain: Endpoint",
25    "OS: Windows",
26    "Use Case: Threat Detection",
27    "Tactic: Privilege Escalation",
28    "Data Source: Elastic Endgame",
29    "Data Source: Elastic Defend",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and event.type == "change" and
36  registry.path : (
37      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
38      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
39      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
40      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
41  ) and registry.data.strings : "*.dll" and
42  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
43  not user.id : "S-1-5-18"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1547"
51name = "Boot or Logon Autostart Execution"
52reference = "https://attack.mitre.org/techniques/T1547/"
53[[rule.threat.technique.subtechnique]]
54id = "T1547.010"
55name = "Port Monitors"
56reference = "https://attack.mitre.org/techniques/T1547/010/"
57
58[[rule.threat.technique.subtechnique]]
59id = "T1547.012"
60name = "Print Processors"
61reference = "https://attack.mitre.org/techniques/T1547/012/"
62
63
64
65[rule.threat.tactic]
66id = "TA0004"
67name = "Privilege Escalation"
68reference = "https://attack.mitre.org/tactics/TA0004/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1547"
73name = "Boot or Logon Autostart Execution"
74reference = "https://attack.mitre.org/techniques/T1547/"
75[[rule.threat.technique.subtechnique]]
76id = "T1547.010"
77name = "Port Monitors"
78reference = "https://attack.mitre.org/techniques/T1547/010/"
79
80[[rule.threat.technique.subtechnique]]
81id = "T1547.012"
82name = "Print Processors"
83reference = "https://attack.mitre.org/techniques/T1547/012/"
84
85
86
87[rule.threat.tactic]
88id = "TA0003"
89name = "Persistence"
90reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top