Find sigma rule

Attack: Boot or Logon Autostart Execution: Port Monitors

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot.(Citation: Bloxham)

Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following:

Local Port
Standard TCP/IP Port
USB Monitor
WSD Port

MITRE

Tactic

privilege-escalation
persistence

technique

T1547.010

Test : Add Port Monitor persistence in Registry

OS

windows

Description:

Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.

Executor

command_prompt

Sigma Rule

registry_set_add_port_monitor.yml (id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e)
registry_set_asep_reg_keys_modification_currentcontrolset.yml (id: f674e36a-4b91-431e-8aef-f8a96c2aca35)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test