Detect Print Processors Registry Driver Key CreationModification
Id | 7edde3d4-9859-4a00-b93c-b19ddda55320 |
Rulename | Detect Print Processors Registry Driver Key Creation/Modification |
Description | This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary. |
Severity | Medium |
Tactics | Persistence PrivilegeEscalation |
Techniques | T1547 |
Required data connectors | CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml |
Version | 1.0.0 |
Arm template | 7edde3d4-9859-4a00-b93c-b19ddda55320.json |
// Print Processor Registry Key RegEx
let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey matches regex printProcessorRegistryRegEx
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
severity: Medium
relevantTechniques:
- T1547
queryFrequency: 1h
kind: Scheduled
version: 1.0.0
name: Detect Print Processors Registry Driver Key Creation/Modification
triggerOperator: gt
description: |
This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.
queryPeriod: 1h
query: |
// Print Processor Registry Key RegEx
let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey matches regex printProcessorRegistryRegEx
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
alertDetailsOverride:
alertDisplayNameFormat: Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})
alertDescriptionFormat: 'Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.'
entityMappings:
- entityType: Host
fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- columnName: NTDomain
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: Username
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- columnName: NTDomain
identifier: NTDomain
- entityType: Process
fieldMappings:
- columnName: ActingProcessId
identifier: ProcessId
- columnName: ActingProcessCommandLine
identifier: CommandLine
- entityType: RegistryKey
fieldMappings:
- columnName: RegHive
identifier: Hive
- columnName: RegKey
identifier: Key
- entityType: RegistryValue
fieldMappings:
- columnName: RegistryValue
identifier: Name
- columnName: RegistryValueData
identifier: Value
- columnName: RegistryValueType
identifier: ValueType
tactics:
- Persistence
- PrivilegeEscalation
status: Available
triggerThreshold: 0
tags:
- Schema: _ASim_RegistryEvent
SchemaVersion: 0.1.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
id: 7edde3d4-9859-4a00-b93c-b19ddda55320
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
- dataTypes:
- SentinelOne_CL
connectorId: SentinelOne
- dataTypes:
- CarbonBlackEvents_CL
connectorId: VMwareCarbonBlack
- dataTypes:
- CiscoSecureEndpoint_CL
connectorId: CiscoSecureEndpoint
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOne
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOneAma
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7edde3d4-9859-4a00-b93c-b19ddda55320')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7edde3d4-9859-4a00-b93c-b19ddda55320')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.",
"alertDisplayNameFormat": "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})"
},
"alertRuleTemplateName": "7edde3d4-9859-4a00-b93c-b19ddda55320",
"customDetails": null,
"description": "This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.\n",
"displayName": "Detect Print Processors Registry Driver Key Creation/Modification",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ActingProcessId",
"identifier": "ProcessId"
},
{
"columnName": "ActingProcessCommandLine",
"identifier": "CommandLine"
}
]
},
{
"entityType": "RegistryKey",
"fieldMappings": [
{
"columnName": "RegHive",
"identifier": "Hive"
},
{
"columnName": "RegKey",
"identifier": "Key"
}
]
},
{
"entityType": "RegistryValue",
"fieldMappings": [
{
"columnName": "RegistryValue",
"identifier": "Name"
},
{
"columnName": "RegistryValueData",
"identifier": "Value"
},
{
"columnName": "RegistryValueType",
"identifier": "ValueType"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml",
"query": "// Print Processor Registry Key RegEx\nlet printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\\\Control\\\\Print\\\\Environments\\\\Windows\\s[A-Za-z0-9]+\\\\Print Processors\\\\[A-Za-z0-9]+\\\\Driver';\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')\n| where RegistryKey matches regex printProcessorRegistryRegEx\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"PrivilegeEscalation"
],
"tags": [
{
"Schema": "_ASim_RegistryEvent",
"SchemaVersion": "0.1.2"
}
],
"techniques": [
"T1547"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}