Detect Port Monitors in Google Chronicle
Adversaries may use port monitors to run an adversary-supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.010 Port Monitors
- Canonical reference
- https://attack.mitre.org/techniques/T1547/010/
YARA-L Detection Query
rule t1547_010_port_monitor_persistence {
meta:
author = "Argus Detection Engineering"
description = "Detects T1547.010 Port Monitor persistence via Print Monitors registry modification, suspicious spoolsv.exe child processes, or unauthorized DLL drops in System32"
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1547.010"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1547/010/"
events:
// Detection 1: Registry modification to Print Monitors key
(
$e1.metadata.event_type = "REGISTRY_MODIFICATION"
and re.regex($e1.target.registry.registry_key, `(?i)HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`)
and $e1.principal.hostname = $hostname
)
or
// Detection 2: Suspicious DLL registered as port monitor driver value
(
$e1.metadata.event_type = "REGISTRY_MODIFICATION"
and re.regex($e1.target.registry.registry_key, `(?i)HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`)
and re.regex($e1.target.registry.registry_value_data, `(?i)\.dll$`)
and re.regex($e1.target.registry.registry_value_name, `(?i)Driver`)
and $e1.principal.hostname = $hostname
)
or
// Detection 3: Unusual child process spawned by spoolsv.exe
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and $e1.principal.process.file.full_path = /spoolsv\.exe/i
and not $e1.target.process.file.full_path = /splwow64\.exe/i
and not $e1.target.process.file.full_path = /PrintIsolationHost\.exe/i
and not $e1.target.process.file.full_path = /printfilterpipelinesvc\.exe/i
and $e1.principal.hostname = $hostname
)
or
// Detection 4: Suspicious DLL created in System32 by non-trusted process
(
$e1.metadata.event_type = "FILE_CREATION"
and $e1.target.file.full_path = /C:\\Windows\\System32\\.*\.dll/i
and not $e1.principal.process.file.full_path = /TiWorker\.exe/i
and not $e1.principal.process.file.full_path = /TrustedInstaller\.exe/i
and not $e1.principal.process.file.full_path = /msiexec\.exe/i
and not $e1.principal.process.file.full_path = /svchost\.exe/i
and $e1.principal.hostname = $hostname
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting T1547.010 Port Monitor persistence through four distinct detection patterns: Print Monitors registry key modification, DLL value assignment in Driver registry key, suspicious spoolsv.exe child processes, and unauthorized DLL file creation in System32 by non-system processes.
Data Sources
Required Tables
False Positives & Tuning
- Print management software vendors registering legitimate port monitor DLLs during product installation or upgrade cycles
- System administrators manually deploying print infrastructure components using tools that spawn processes under the spooler context
- Enterprise imaging or endpoint management tools deploying Windows system DLLs during OS configuration or driver provisioning
Other platforms for T1547.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Port Monitor Registry Key Creation
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\TestMonitor_df00tech\Driver, Details=localspl.dll, Image=reg.exe. Security Event ID 4688 with CommandLine containing reg add.
- Test 2DLL Drop in System32 Simulating Port Monitor Payload
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\System32\df00tech_test_monitor.dll, Image=cmd.exe. DeviceFileEvents with ActionType=FileCreated, FolderPath starting with C:\Windows\System32.
- Test 3PowerShell AddMonitor API Simulation via Registry
Expected signal: Sysmon Event ID 12: Registry Key Created for PSTestMonitor subkey. Sysmon Event ID 13: Registry Value Set for Driver value. Sysmon Event ID 1: Process Create for powershell.exe with the full command line. PowerShell ScriptBlock Log Event ID 4104 with the registry manipulation commands.
References (7)
- https://attack.mitre.org/techniques/T1547/010/
- https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
- https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor
- https://technet.microsoft.com/en-us/sysinternals/bb963902
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
Unlock Pro Content
Get the full detection package for T1547.010 including response playbook, investigation guide, and atomic red team tests.