T1547.010 Port Monitors Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let MonitorRegPath = @"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors";
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Control\\Print\\Monitors"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend RegistryValueName = tostring(RegistryValueData)
| extend SuspiciousDLL = RegistryValueData endswith ".dll"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, SuspiciousDLL
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where FileName !in~ ("splwow64.exe", "PrintIsolationHost.exe", "printfilterpipelinesvc.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName
| sort by Timestamp desc;
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath startswith @"C:\Windows\System32"
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("TiWorker.exe", "TrustedInstaller.exe", "msiexec.exe", "svchost.exe")
| where ActionType == "FileCreated"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Creation Windows Registry: Registry Key Modification Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate printer driver installations by IT administrators using vendor-provided installers (HP, Canon, Lexmark, etc.) that register port monitors through AddMonitor API
Print management software (PaperCut, PrinterLogic, Pharos) that installs custom port monitors for print job tracking and accounting
PDF printer utilities (Adobe PDF, Microsoft Print to PDF, CutePDF) that register virtual port monitors during installation
Windows Update or WSUS deploying printer driver updates that modify the Print\Monitors registry key

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\*"
| eval is_driver_value=if(match(TargetObject, "Driver$"), 1, 0)
| eval is_dll=if(match(Details, "\.dll"), 1, 0)
| eval monitor_name=replace(TargetObject, ".*Print\\Monitors\\\\.+?\\(.*)", "\1")
| table _time, host, User, Image, TargetObject, Details, is_driver_value, is_dll, monitor_name
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    ParentImage="*\\spoolsv.exe"
    NOT (Image="*\\splwow64.exe" OR Image="*\\PrintIsolationHost.exe" OR Image="*\\printfilterpipelinesvc.exe")
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine
  | sort - _time]
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    TargetFilename="C:\\Windows\\System32\\*.dll"
    NOT (Image="*\\TiWorker.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\msiexec.exe")
  | table _time, host, User, Image, TargetFilename
  | sort - _time]

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Process: Process Creation File: File Creation Sysmon Event ID 13 Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate printer driver installations by IT administrators using vendor-provided installers that register port monitors via AddMonitor API
Print management software (PaperCut, PrinterLogic) installing custom port monitors for enterprise print tracking
PDF virtual printer utilities (Adobe PDF, CutePDF) that register port monitors during installation
Windows Update deploying printer driver packages that modify Print\Monitors registry keys

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [registry where registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\*" and event.action in ("registry_value_set", "registry_key_created")]
  [file where file.path : "C:\\Windows\\System32\\*.dll" and event.action == "creation" and not process.name : ("TiWorker.exe", "TrustedInstaller.exe", "msiexec.exe", "svchost.exe")]

sequence
  [registry where registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\*" and registry.data.strings : "*.dll"]
  [process where process.parent.name : "spoolsv.exe" and not process.name : ("splwow64.exe", "PrintIsolationHost.exe", "printfilterpipelinesvc.exe")]

high severity high confidence

Data Sources

Windows Registry Events Windows File Events Windows Process Events Sysmon

Required Tables

registry file process

False Positives

Legitimate printer driver installations that register custom port monitors (e.g., HP, Canon, Xerox printer software)
Print management software updates that modify the Print Monitors registry key during upgrades
Windows Update or system components like TrustedInstaller deploying spooler-related DLLs to System32

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, logsourcename(logsourceid) AS log_source, username, sourceip, QIDNAME(qid) AS event_name, "TargetObject", "Details", "Image", "CommandLine"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND ("TargetObject" ILIKE '%Control\\Print\\Monitors%'
    OR ("Image" ILIKE '%spoolsv.exe'
        AND "CommandLine" NOT ILIKE '%splwow64.exe%'
        AND "CommandLine" NOT ILIKE '%PrintIsolationHost.exe%'
        AND "CommandLine" NOT ILIKE '%printfilterpipelinesvc.exe%')
    OR ("TargetFilename" ILIKE 'C:\\Windows\\System32\\%.dll'
        AND "Image" NOT ILIKE '%TiWorker.exe'
        AND "Image" NOT ILIKE '%TrustedInstaller.exe'
        AND "Image" NOT ILIKE '%msiexec.exe'))
  AND devicetime > (NOW() - 86400000)
UNION
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, logsourcename(logsourceid) AS log_source, username, sourceip, QIDNAME(qid) AS event_name, "TargetObject", "Details", "Image", "CommandLine"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%'
  AND eventid = 4657
  AND "ObjectName" ILIKE '%Control\\Print\\Monitors%'
  AND devicetime > (NOW() - 86400000)
ORDER BY event_time DESC

high severity medium confidence

Data Sources

Sysmon via QRadar DSM Windows Security Event Log QRadar Universal DSM

Required Tables

events

False Positives

Legitimate print server administration activities that register new port monitors for enterprise printing infrastructure
Software deployment tools (SCCM, Intune) pushing printer driver packages that include port monitor DLLs
Helpdesk or IT technician activities installing specialized printer hardware with custom spooler components

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| parse "EventID=*" as event_id
| parse "TargetObject=*" as target_object nodrop
| parse "Image=*" as image nodrop
| parse "Details=*" as details nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "User=*" as user nodrop
| parse "TargetFilename=*" as target_filename nodrop
| where (
    (event_id = "13" AND target_object matches "*Control\\Print\\Monitors*")
    OR (event_id = "1" AND image matches "*spoolsv.exe*"
        AND !(command_line matches "*splwow64.exe*"
              OR command_line matches "*PrintIsolationHost.exe*"
              OR command_line matches "*printfilterpipelinesvc.exe*"))
    OR (event_id = "11"
        AND target_filename matches "C:\\Windows\\System32\\*.dll"
        AND !(image matches "*TiWorker.exe*"
              OR image matches "*TrustedInstaller.exe*"
              OR image matches "*msiexec.exe*"
              OR image matches "*svchost.exe*"))
  )
| eval detection_type = if(event_id = "13", "Registry Modification",
    if(event_id = "1", "Suspicious Spooler Child Process",
    if(event_id = "11", "Suspicious DLL Creation", "Unknown")))
| eval is_driver_value = if(target_object matches "*Driver*", "true", "false")
| eval is_dll_value = if(details matches "*.dll*", "true", "false")
| fields _messageTime, host, user, image, target_object, details, target_filename, command_line, detection_type, is_driver_value, is_dll_value
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon Operational Log Windows Event Log

Required Tables

_sourceCategory=windows/sysmon

False Positives

Enterprise print management solutions such as PaperCut or PrinterLogic that register custom port monitors during installation or updates
Third-party printer driver packages that create DLL files in System32 during standard installation via msiexec child processes not captured by exclusions
Windows print spooler service launching legitimate helper processes during normal printing operations on systems with specialized hardware

Google Chronicle / SecOps

yaral

rule t1547_010_port_monitor_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1547.010 Port Monitor persistence via Print Monitors registry modification, suspicious spoolsv.exe child processes, or unauthorized DLL drops in System32"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1547.010"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1547/010/"

  events:
    // Detection 1: Registry modification to Print Monitors key
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e1.target.registry.registry_key, `(?i)HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`)
      and $e1.principal.hostname = $hostname
    )
    or
    // Detection 2: Suspicious DLL registered as port monitor driver value
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e1.target.registry.registry_key, `(?i)HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`)
      and re.regex($e1.target.registry.registry_value_data, `(?i)\.dll$`)
      and re.regex($e1.target.registry.registry_value_name, `(?i)Driver`)
      and $e1.principal.hostname = $hostname
    )
    or
    // Detection 3: Unusual child process spawned by spoolsv.exe
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.principal.process.file.full_path = /spoolsv\.exe/i
      and not $e1.target.process.file.full_path = /splwow64\.exe/i
      and not $e1.target.process.file.full_path = /PrintIsolationHost\.exe/i
      and not $e1.target.process.file.full_path = /printfilterpipelinesvc\.exe/i
      and $e1.principal.hostname = $hostname
    )
    or
    // Detection 4: Suspicious DLL created in System32 by non-trusted process
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and $e1.target.file.full_path = /C:\\Windows\\System32\\.*\.dll/i
      and not $e1.principal.process.file.full_path = /TiWorker\.exe/i
      and not $e1.principal.process.file.full_path = /TrustedInstaller\.exe/i
      and not $e1.principal.process.file.full_path = /msiexec\.exe/i
      and not $e1.principal.process.file.full_path = /svchost\.exe/i
      and $e1.principal.hostname = $hostname
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Windows Registry Events via Chronicle Windows Process Events via Chronicle Windows File Events via Chronicle Google Chronicle UDM

Required Tables

REGISTRY_MODIFICATION PROCESS_LAUNCH FILE_CREATION

False Positives

Print management software vendors registering legitimate port monitor DLLs during product installation or upgrade cycles
System administrators manually deploying print infrastructure components using tools that spawn processes under the spooler context
Enterprise imaging or endpoint management tools deploying Windows system DLLs during OS configuration or driver provisioning

CrowdStrike LogScale (CQL)

cql

// Detection 1: Registry modification to Print Monitors key
#event_simpleName="AsepValueUpdate" OR #event_simpleName="RegistryKeyCreated"
| TargetObject = /\\Control\\Print\\Monitors\\/i
| table([_time, ComputerName, UserName, TargetObject, NewValue, ImageFileName, CommandHistory])

// Detection 2: Suspicious DLL registered in Print Monitors Driver value
#event_simpleName="AsepValueUpdate"
| TargetObject = /\\Control\\Print\\Monitors\\.*\\Driver/i
| NewValue = /\.dll$/i
| table([_time, ComputerName, UserName, TargetObject, NewValue, ImageFileName])

// Detection 3: Suspicious child process spawned by spoolsv.exe
#event_simpleName="ProcessRollup2"
| ParentBaseFileName = /spoolsv\.exe/i
| ParentBaseFileName != /splwow64\.exe/i
| ParentBaseFileName != /PrintIsolationHost\.exe/i
| ParentBaseFileName != /printfilterpipelinesvc\.exe/i
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, MD5HashData, SHA256HashData])

// Detection 4: Suspicious DLL written to System32 by non-trusted process
#event_simpleName="NewExecutableWritten" OR #event_simpleName="PeFileWritten"
| TargetFileName = /C:\\Windows\\System32\\.*\.dll/i
| ImageFileName != /TiWorker\.exe/i
| ImageFileName != /TrustedInstaller\.exe/i
| ImageFileName != /msiexec\.exe/i
| ImageFileName != /svchost\.exe/i
| table([_time, ComputerName, UserName, TargetFileName, ImageFileName, CommandLine, MD5HashData, SHA256HashData])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon Registry Events Falcon Process Events Falcon File Events

Required Tables

AsepValueUpdate RegistryKeyCreated ProcessRollup2 NewExecutableWritten PeFileWritten

False Positives

Legitimate print vendor software (HP Smart, Canon PRINT, Epson iPrint) registering port monitor DLLs during printer setup on corporate endpoints
Windows print spooler service (spoolsv.exe) launching printing pipeline processes like XPS Document Writer components that may not match the exclusion list
Automated patch management or configuration management agents deploying updated system DLLs to System32 outside of standard Windows Update channels

Port Monitors

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections