Detect Print Processors Registry Driver Key CreationModification
| Id | 7edde3d4-9859-4a00-b93c-b19ddda55320 |
| Rulename | Detect Print Processors Registry Driver Key Creation/Modification |
| Description | This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary. |
| Severity | Medium |
| Tactics | Persistence PrivilegeEscalation |
| Techniques | T1547 |
| Required data connectors | CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml |
| Version | 1.0.0 |
| Arm template | 7edde3d4-9859-4a00-b93c-b19ddda55320.json |
// Print Processor Registry Key RegEx
let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey matches regex printProcessorRegistryRegEx
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
kind: Scheduled
alertDetailsOverride:
alertDisplayNameFormat: Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})
alertDescriptionFormat: 'Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.'
tactics:
- Persistence
- PrivilegeEscalation
name: Detect Print Processors Registry Driver Key Creation/Modification
id: 7edde3d4-9859-4a00-b93c-b19ddda55320
queryFrequency: 1h
severity: Medium
tags:
- SchemaVersion: 0.1.2
Schema: _ASim_RegistryEvent
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml
queryPeriod: 1h
description: |
This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.
triggerOperator: gt
status: Available
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
- dataTypes:
- SentinelOne_CL
connectorId: SentinelOne
- dataTypes:
- CarbonBlackEvents_CL
connectorId: VMwareCarbonBlack
- dataTypes:
- CiscoSecureEndpoint_CL
connectorId: CiscoSecureEndpoint
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOne
- dataTypes:
- TMApexOneEvent
connectorId: TrendMicroApexOneAma
query: |
// Print Processor Registry Key RegEx
let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey matches regex printProcessorRegistryRegEx
| project
TimeGenerated,
DvcHostname,
ActorUsername,
ActorUsernameType,
ActingProcessId,
ActingProcessName,
ActingProcessCommandLine,
RegistryKey,
RegistryValue,
RegistryValueType,
RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))
entityMappings:
- entityType: Host
fieldMappings:
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- columnName: NTDomain
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: Username
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- columnName: NTDomain
identifier: NTDomain
- entityType: Process
fieldMappings:
- columnName: ActingProcessId
identifier: ProcessId
- columnName: ActingProcessCommandLine
identifier: CommandLine
- entityType: RegistryKey
fieldMappings:
- columnName: RegHive
identifier: Hive
- columnName: RegKey
identifier: Key
- entityType: RegistryValue
fieldMappings:
- columnName: RegistryValue
identifier: Name
- columnName: RegistryValueData
identifier: Value
- columnName: RegistryValueType
identifier: ValueType
relevantTechniques:
- T1547
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7edde3d4-9859-4a00-b93c-b19ddda55320')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7edde3d4-9859-4a00-b93c-b19ddda55320')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.",
"alertDisplayNameFormat": "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})"
},
"alertRuleTemplateName": "7edde3d4-9859-4a00-b93c-b19ddda55320",
"customDetails": null,
"description": "This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.\n",
"displayName": "Detect Print Processors Registry Driver Key Creation/Modification",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ActingProcessId",
"identifier": "ProcessId"
},
{
"columnName": "ActingProcessCommandLine",
"identifier": "CommandLine"
}
]
},
{
"entityType": "RegistryKey",
"fieldMappings": [
{
"columnName": "RegHive",
"identifier": "Hive"
},
{
"columnName": "RegKey",
"identifier": "Key"
}
]
},
{
"entityType": "RegistryValue",
"fieldMappings": [
{
"columnName": "RegistryValue",
"identifier": "Name"
},
{
"columnName": "RegistryValueData",
"identifier": "Value"
},
{
"columnName": "RegistryValueType",
"identifier": "ValueType"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml",
"query": "// Print Processor Registry Key RegEx\nlet printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\\\Control\\\\Print\\\\Environments\\\\Windows\\s[A-Za-z0-9]+\\\\Print Processors\\\\[A-Za-z0-9]+\\\\Driver';\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')\n| where RegistryKey matches regex printProcessorRegistryRegEx\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"PrivilegeEscalation"
],
"tags": [
{
"Schema": "_ASim_RegistryEvent",
"SchemaVersion": "0.1.2"
}
],
"techniques": [
"T1547"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}