Potential Port Monitor or Print Processor Registration Abuse

  1[metadata]
  2creation_date = "2021/01/21"
  3integration = ["endpoint", "m365_defender"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print
 11processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or
 12persistence, if permissions allow writing a fully-qualified pathname for that DLL.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Port Monitor or Print Processor Registration Abuse"
 19references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"]
 20risk_score = 47
 21rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Privilege Escalation",
 28    "Data Source: Elastic Endgame",
 29    "Data Source: Elastic Defend",
 30    "Data Source: Microsoft Defender XDR",
 31    "Resources: Investigation Guide",
 32]
 33timestamp_override = "event.ingested"
 34type = "eql"
 35
 36query = '''
 37registry where host.os.type == "windows" and event.type == "change" and
 38  registry.path : (
 39      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
 40      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*",
 41      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*",
 42      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*"
 43  ) and registry.data.strings : "*.dll" and
 44  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
 45  not user.id : "S-1-5-18"
 46'''
 47
 48setup = """## Setup
 49
 50This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 51
 52Setup instructions: https://ela.st/install-elastic-defend
 53
 54### Additional data sources
 55
 56This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 57
 58- [Microsoft Defender XDR](https://ela.st/m365-defender)
 59"""
 60
 61note = """## Triage and analysis
 62
 63> **Disclaimer**:
 64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 65
 66### Investigating Potential Port Monitor or Print Processor Registration Abuse
 67
 68Port monitors and print processors are integral to Windows printing, managing data flow and processing print jobs. Adversaries exploit these by registering malicious DLLs, which execute with SYSTEM privileges at boot, enabling persistence and privilege escalation. The detection rule identifies registry changes in specific paths, focusing on non-SYSTEM user modifications, to flag potential abuse.
 69
 70### Possible investigation steps
 71
 72- Review the registry path specified in the alert to confirm the presence of any unauthorized or suspicious DLLs in the paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\* and HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*.
 73- Identify the user account associated with the registry change by examining the user.id field, ensuring it is not the SYSTEM account (S-1-5-18), and determine if the account has a legitimate reason to modify these registry paths.
 74- Check the file properties and digital signatures of the DLLs found in the registry paths to verify their legitimacy and identify any anomalies or signs of tampering.
 75- Investigate the system's event logs around the time of the registry change to gather additional context, such as other activities performed by the same user or related processes that might indicate malicious behavior.
 76- Conduct a threat intelligence search on the identified DLLs and any associated file hashes to determine if they are known to be associated with malicious activity or threat actors.
 77- Assess the system for any signs of privilege escalation or persistence mechanisms that may have been established as a result of the registry modification, such as new services or scheduled tasks.
 78
 79### False positive analysis
 80
 81- Legitimate software installations or updates may modify print processor or port monitor registry paths. Users should verify if recent installations or updates coincide with the detected changes.
 82- System administrators performing maintenance or configuration changes might trigger alerts. Ensure that such activities are documented and cross-referenced with the alert timestamps.
 83- Some third-party printing solutions may register their own DLLs in these registry paths. Identify and whitelist these known applications to prevent unnecessary alerts.
 84- Automated scripts or management tools that modify printer settings could cause false positives. Review and adjust these tools to ensure they operate under expected user accounts or exclude their known behaviors.
 85- Regularly review and update the exclusion list to include any new benign applications or processes that interact with the monitored registry paths.
 86
 87### Response and remediation
 88
 89- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 90- Terminate any suspicious processes associated with the malicious DLLs identified in the registry paths to halt their execution.
 91- Remove the unauthorized DLL entries from the registry paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\* and HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\* to eliminate persistence mechanisms.
 92- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
 93- Review and reset credentials for any accounts that may have been compromised, especially those with elevated privileges, to prevent unauthorized access.
 94- Implement application whitelisting to prevent unauthorized DLLs from executing, focusing on the paths identified in the alert.
 95- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected, ensuring comprehensive threat containment and eradication."""
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1547"
102name = "Boot or Logon Autostart Execution"
103reference = "https://attack.mitre.org/techniques/T1547/"
104[[rule.threat.technique.subtechnique]]
105id = "T1547.010"
106name = "Port Monitors"
107reference = "https://attack.mitre.org/techniques/T1547/010/"
108
109[[rule.threat.technique.subtechnique]]
110id = "T1547.012"
111name = "Print Processors"
112reference = "https://attack.mitre.org/techniques/T1547/012/"
113
114
115
116[rule.threat.tactic]
117id = "TA0004"
118name = "Privilege Escalation"
119reference = "https://attack.mitre.org/tactics/TA0004/"
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1547"
124name = "Boot or Logon Autostart Execution"
125reference = "https://attack.mitre.org/techniques/T1547/"
126[[rule.threat.technique.subtechnique]]
127id = "T1547.010"
128name = "Port Monitors"
129reference = "https://attack.mitre.org/techniques/T1547/010/"
130
131[[rule.threat.technique.subtechnique]]
132id = "T1547.012"
133name = "Print Processors"
134reference = "https://attack.mitre.org/techniques/T1547/012/"
135
136
137
138[rule.threat.tactic]
139id = "TA0003"
140name = "Persistence"
141reference = "https://attack.mitre.org/tactics/TA0003/"