Skip to content

feat(rules): New Suspicious print processor loaded rule #488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rabbitstack merged 2 commits into from
Apr 15, 2025
Merged

feat(rules): New Suspicious print processor loaded rule #488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
43176a6
feat(rules): Suspicious print processor loaded rule
rabbitstack Apr 11, 2025
da5705d
chore(rules): Unify usage of the load_unsigned_or_untrusted_dll macro
rabbitstack Apr 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions rules/persistence_suspicious_port_monitor_loaded.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious port monitor loaded
id: d6ab6bfa-1a97-46cb-a69a-7a6c98a699f1
version: 1.0.0
version: 1.0.1
description: |
Identifies the loading of an unsigned DLL by the print spool service. Adversaries may use port
monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
Expand All @@ -18,10 +18,8 @@ references:
- https://www.ired.team/offensive-security/persistence/t1013-addmonitor

condition: >
load_dll and ps.name ~= 'spoolsv.exe'
(load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe'
and
thread.callstack.symbols imatches ('localspl.dll!SplAddMonitor*', 'spoolsv.exe!PrvAddMonitor*')
and
(image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')

min-engine-version: 2.2.0
32 changes: 32 additions & 0 deletions rules/persistence_suspicious_print_processor_loaded.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Suspicious print processor loaded
id: 3e0f5ef7-8a0a-4604-b2bf-d09606f45483
version: 1.0.0
description: |
Identifies when the print spooler service loads unsigned or untrusted DLL and the callstack pattern
indicates the print processor is loaded. Adversaries may abuse print processors to run malicious DLLs
during system boot for persistence and/or privilege escalation.
labels:
tactic.id: TA0003
tactic.name: Persistence
tactic.ref: https://attack.mitre.org/tactics/TA0003/
technique.id: T1547
technique.name: Boot or Logon Autostart Execution
technique.ref: https://attack.mitre.org/techniques/T1547/
subtechnique.id: T1547.012
subtechnique.name: Print Processors
subtechnique.ref: https://attack.mitre.org/techniques/T1547/012/
references:
- https://stmxcsr.com/persistence/print-processor.html

condition: >
(load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe'
and
thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|localspl.dll|spoolsv.exe|kernel32.dll|ntdll.dll'
and
thread.callstack.symbols imatches ('localspl.dll!SplSetPrinterData') and thread.callstack.symbols not imatches ('KernelBase.dll!RegisterGPNotificationInternal')

output: >
Print spooler service loaded suspicious print processor DLL %image.path
severity: high

min-engine-version: 2.4.0