T1547.010 CrowdStrike LogScale · LogScale

Detect Port Monitors in CrowdStrike LogScale

Adversaries may use port monitors to run an adversary-supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded and run by the print spooler service, spoolsv.exe, under SYSTEM level permissions on boot. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the Driver value of an existing or new arbitrarily named subkey of HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.010 Port Monitors
Canonical reference
https://attack.mitre.org/techniques/T1547/010/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detection 1: Registry modification to Print Monitors key
#event_simpleName="AsepValueUpdate" OR #event_simpleName="RegistryKeyCreated"
| TargetObject = /\\Control\\Print\\Monitors\\/i
| table([_time, ComputerName, UserName, TargetObject, NewValue, ImageFileName, CommandHistory])

// Detection 2: Suspicious DLL registered in Print Monitors Driver value
#event_simpleName="AsepValueUpdate"
| TargetObject = /\\Control\\Print\\Monitors\\.*\\Driver/i
| NewValue = /\.dll$/i
| table([_time, ComputerName, UserName, TargetObject, NewValue, ImageFileName])

// Detection 3: Suspicious child process spawned by spoolsv.exe
#event_simpleName="ProcessRollup2"
| ParentBaseFileName = /spoolsv\.exe/i
| ParentBaseFileName != /splwow64\.exe/i
| ParentBaseFileName != /PrintIsolationHost\.exe/i
| ParentBaseFileName != /printfilterpipelinesvc\.exe/i
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, MD5HashData, SHA256HashData])

// Detection 4: Suspicious DLL written to System32 by non-trusted process
#event_simpleName="NewExecutableWritten" OR #event_simpleName="PeFileWritten"
| TargetFileName = /C:\\Windows\\System32\\.*\.dll/i
| ImageFileName != /TiWorker\.exe/i
| ImageFileName != /TrustedInstaller\.exe/i
| ImageFileName != /msiexec\.exe/i
| ImageFileName != /svchost\.exe/i
| table([_time, ComputerName, UserName, TargetFileName, ImageFileName, CommandLine, MD5HashData, SHA256HashData])
| sort(field=_time, order=desc)
high severity high confidence

CrowdStrike LogScale CQL queries detecting T1547.010 Port Monitor persistence via four detection vectors: Print Monitors registry key modification events (AsepValueUpdate), Driver value DLL registration, unusual child processes of spoolsv.exe via ProcessRollup2, and suspicious DLL file writes to System32 by non-trusted processes. Includes hash fields for IOC enrichment.

Data Sources

CrowdStrike Falcon EDRFalcon Registry EventsFalcon Process EventsFalcon File Events

Required Tables

AsepValueUpdateRegistryKeyCreatedProcessRollup2NewExecutableWrittenPeFileWritten

False Positives & Tuning

  • Legitimate print vendor software (HP Smart, Canon PRINT, Epson iPrint) registering port monitor DLLs during printer setup on corporate endpoints
  • Windows print spooler service (spoolsv.exe) launching printing pipeline processes like XPS Document Writer components that may not match the exclusion list
  • Automated patch management or configuration management agents deploying updated system DLLs to System32 outside of standard Windows Update channels
Download portable Sigma rule (.yml)

Other platforms for T1547.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Port Monitor Registry Key Creation

    Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\TestMonitor_df00tech\Driver, Details=localspl.dll, Image=reg.exe. Security Event ID 4688 with CommandLine containing reg add.

  2. Test 2DLL Drop in System32 Simulating Port Monitor Payload

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\System32\df00tech_test_monitor.dll, Image=cmd.exe. DeviceFileEvents with ActionType=FileCreated, FolderPath starting with C:\Windows\System32.

  3. Test 3PowerShell AddMonitor API Simulation via Registry

    Expected signal: Sysmon Event ID 12: Registry Key Created for PSTestMonitor subkey. Sysmon Event ID 13: Registry Value Set for Driver value. Sysmon Event ID 1: Process Create for powershell.exe with the full command line. PowerShell ScriptBlock Log Event ID 4104 with the registry manipulation commands.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1547.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.012Print ProcessorsT1574.001DLLT1574.011Services Registry Permissions WeaknessT1543.003Windows ServiceT1112Modify RegistryT1055.001Dynamic-link Library Injection

Same Tactic: Persistence

Popular Detections