Add Port Monitor Persistence in Registry

calendar Aug 12, 2024 · attack.persistence attack.t1547.010  ·
Share on: linkedin copy

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Sigma rule (View on GitHub)

 1title: Add Port Monitor Persistence in Registry
 2id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
 3status: experimental
 4description: |
 5    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
 6    A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
 9author: frack113
10date: 2021-12-30
11modified: 2024-03-25
12tags:
13    - attack.persistence
14    - attack.t1547.010
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains: '\Control\Print\Monitors\'
21        Details|endswith: '.dll'
22    filter_optional_cutepdf:
23        Image: 'C:\Windows\System32\spoolsv.exe'
24        TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
25        Details: 'cpwmon64_v40.dll'
26        User|contains: # covers many language settings
27            - 'AUTHORI'
28            - 'AUTORI'
29    filter_optional_monvnc:
30        TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
31    filter_optional_vnc:
32        TargetObject|contains|all:
33            - 'Control\Print\Environments\'
34            - '\Drivers\'
35            - '\VNC Printer'
36    condition: selection and not 1 of filter_optional_*
37falsepositives:
38    - Unknown
39level: medium

References

Related rules

to-top