Detection rules › Splunk
Monitor Registry Keys for Print Monitors
The following analytic detects modifications to the registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.010 Boot or Logon Autostart Execution: Port Monitors |
| Privilege Escalation | T1547.010 Boot or Logon Autostart Execution: Port Monitors |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.action="modified" Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.action | eq |
|
Registry.registry_path | eq |
|