Monitor Registry Keys For Print Monitors

Description

This search looks for registry activity associated with modifications to the registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Boot or Logon Autostart Execution

Port Monitors

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

Monitor Registry Keys For Print Monitors Help

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.

   Search

Open in Search