Add Port Monitor Persistence in Registry

Title: Add Port Monitor Persistence in Registry
Status: test
Description:Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
References:
  -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
Author: frack113
Date: 2021-12-30
modified:2024-03-25
Tags:

• -'attack.persistence'
• -'attack.t1547.010'

Logsource:

• category: registry_set
• product: windows

Detection:
  selection:
    TargetObject|contains: '\Control\Print\Monitors\'
    Details|endswith: '.dll'
  filter_optional_cutepdf:
    Image: 'C:\Windows\System32\spoolsv.exe'
    TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
    Details: 'cpwmon64_v40.dll'
    User|contains:
      -'AUTHORI'
      -'AUTORI'

  filter_optional_monvnc:
    TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
  filter_optional_vnc:
    TargetObject|contains|all:
      -'Control\Print\Environments\'
      -'\Drivers\'
      -'\VNC Printer'

  condition:selection and not 1 of filter_optional_*
Falsepositives:
  -Unknown
Level: medium