Techniques
Sample rules
Monitor Registry Keys for Print Monitors
- source: splunk
- technicques:
- T1547.010
- T1547
Description
This search looks for registry activity associated with modifications to the registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `monitor_registry_keys_for_print_monitors_filter`