Potential Port Monitor or Print Processor Registration Abuse
Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
11processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
12persistence, if permissions allow writing a fully-qualified pathname for that DLL.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Port Monitor or Print Processor Registration Abuse"
19references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
20risk_score = 47
21rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Privilege Escalation",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and event.type in ("creation", "change") and
36 registry.path : (
37 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
38 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
39 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
40 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
41 ) and registry.data.strings : "*.dll" and
42 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
43 not user.id : "S-1-5-18"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1547"
51name = "Boot or Logon Autostart Execution"
52reference = "https://attack.mitre.org/techniques/T1547/"
53[[rule.threat.technique.subtechnique]]
54id = "T1547.010"
55name = "Port Monitors"
56reference = "https://attack.mitre.org/techniques/T1547/010/"
57
58[[rule.threat.technique.subtechnique]]
59id = "T1547.012"
60name = "Print Processors"
61reference = "https://attack.mitre.org/techniques/T1547/012/"
62
63
64
65[rule.threat.tactic]
66id = "TA0004"
67name = "Privilege Escalation"
68reference = "https://attack.mitre.org/tactics/TA0004/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1547"
73name = "Boot or Logon Autostart Execution"
74reference = "https://attack.mitre.org/techniques/T1547/"
75[[rule.threat.technique.subtechnique]]
76id = "T1547.010"
77name = "Port Monitors"
78reference = "https://attack.mitre.org/techniques/T1547/010/"
79
80[[rule.threat.technique.subtechnique]]
81id = "T1547.012"
82name = "Print Processors"
83reference = "https://attack.mitre.org/techniques/T1547/012/"
84
85
86
87[rule.threat.tactic]
88id = "TA0003"
89name = "Persistence"
90reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Persistence via PowerShell profile
- Persistence via TelemetryController Scheduled Task Hijack