Name:Print Processor Registry Autostart id:1f5b68aa-2037-11ec-898e-acde48001122 version:4 date:2024-10-17 author:Teoderick Contreras, Splunk status:experimental type:TTP Description:The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine. Data_source:
-Sysmon EventID 12
-Sysmon EventID 13
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\Control\\Print\\Environments\\Windows x64\\Print Processors*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`
how_to_implement:To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. known_false_positives:possible new printer installation may add driver component on this registry. References: -https://attack.mitre.org/techniques/T1547/012/ -https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ drilldown_searches:
: tags: analytic_story: - 'Data Destruction' - 'Windows Privilege Escalation' - 'Hermetic Wiper' - 'Windows Persistence Techniques' asset_type:Endpoint confidence:100 impact:80 message:modified/added/deleted registry entry $Registry.registry_path$ in $dest$ mitre_attack_id: - 'T1547.012' - 'T1547' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Registry.dest' - 'Registry.user' - 'Registry.registry_path' - 'Registry.registry_key_name' - 'Registry.registry_value_name' risk_score:80 security_domain:endpoint
