Detect Print Processors Registry Driver Key CreationModification

Back


Id	7edde3d4-9859-4a00-b93c-b19ddda55320
Rulename	Detect Print Processors Registry Driver Key Creation/Modification
Description	This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.
Severity	Medium
Tactics	Persistence PrivilegeEscalation
Techniques	T1547
Required data connectors	CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml
Version	1.0.0
Arm template	7edde3d4-9859-4a00-b93c-b19ddda55320.json

KQL

// Print Processor Registry Key RegEx
let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
| where RegistryKey matches regex printProcessorRegistryRegEx
| project
    TimeGenerated,
    DvcHostname,
    ActorUsername,
    ActorUsernameType,
    ActingProcessId,
    ActingProcessName,
    ActingProcessCommandLine,
    RegistryKey,
    RegistryValue,
    RegistryValueType,
    RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))

YAML

relevantTechniques:
- T1547
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CrowdStrikeFalconEndpointProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SentinelOne_CL
  connectorId: SentinelOne
- dataTypes:
  - CarbonBlackEvents_CL
  connectorId: VMwareCarbonBlack
- dataTypes:
  - CiscoSecureEndpoint_CL
  connectorId: CiscoSecureEndpoint
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOne
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOneAma
triggerThreshold: 0
queryFrequency: 1h
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
tags:
- SchemaVersion: 0.1.2
  Schema: _ASim_RegistryEvent
id: 7edde3d4-9859-4a00-b93c-b19ddda55320
alertDetailsOverride:
  alertDisplayNameFormat: Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})
  alertDescriptionFormat: 'Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml
query: |
  // Print Processor Registry Key RegEx
  let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver';
  _ASim_RegistryEvent
  | where EventType in ('RegistryValueSet', 'RegistryKeyCreated')
  | where RegistryKey matches regex printProcessorRegistryRegEx
  | project
      TimeGenerated,
      DvcHostname,
      ActorUsername,
      ActorUsernameType,
      ActingProcessId,
      ActingProcessName,
      ActingProcessCommandLine,
      RegistryKey,
      RegistryValue,
      RegistryValueType,
      RegistryValueData
  | extend HostName = tostring(split(DvcHostname, '.')[0])
  | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
  | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
  | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
  | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
  | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))   
status: Available
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: Username
  - identifier: UPNSuffix
    columnName: UPNSuffix
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: ProcessId
    columnName: ActingProcessId
  - identifier: CommandLine
    columnName: ActingProcessCommandLine
  entityType: Process
- fieldMappings:
  - identifier: Hive
    columnName: RegHive
  - identifier: Key
    columnName: RegKey
  entityType: RegistryKey
- fieldMappings:
  - identifier: Name
    columnName: RegistryValue
  - identifier: Value
    columnName: RegistryValueData
  - identifier: ValueType
    columnName: RegistryValueType
  entityType: RegistryValue
tactics:
- Persistence
- PrivilegeEscalation
severity: Medium
name: Detect Print Processors Registry Driver Key Creation/Modification
triggerOperator: gt
kind: Scheduled
description: |
    This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7edde3d4-9859-4a00-b93c-b19ddda55320')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7edde3d4-9859-4a00-b93c-b19ddda55320')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.",
          "alertDisplayNameFormat": "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})"
        },
        "alertRuleTemplateName": "7edde3d4-9859-4a00-b93c-b19ddda55320",
        "customDetails": null,
        "description": "This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.\n",
        "displayName": "Detect Print Processors Registry Driver Key Creation/Modification",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ActingProcessId",
                "identifier": "ProcessId"
              },
              {
                "columnName": "ActingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          },
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "RegHive",
                "identifier": "Hive"
              },
              {
                "columnName": "RegKey",
                "identifier": "Key"
              }
            ]
          },
          {
            "entityType": "RegistryValue",
            "fieldMappings": [
              {
                "columnName": "RegistryValue",
                "identifier": "Name"
              },
              {
                "columnName": "RegistryValueData",
                "identifier": "Value"
              },
              {
                "columnName": "RegistryValueType",
                "identifier": "ValueType"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml",
        "query": "// Print Processor Registry Key RegEx\nlet printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\\\Control\\\\Print\\\\Environments\\\\Windows\\s[A-Za-z0-9]+\\\\Print Processors\\\\[A-Za-z0-9]+\\\\Driver';\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')\n| where RegistryKey matches regex printProcessorRegistryRegEx\n| project\n    TimeGenerated,\n    DvcHostname,\n    ActorUsername,\n    ActorUsernameType,\n    ActingProcessId,\n    ActingProcessName,\n    ActingProcessCommandLine,\n    RegistryKey,\n    RegistryValue,\n    RegistryValueType,\n    RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "tags": [
          {
            "Schema": "_ASim_RegistryEvent",
            "SchemaVersion": "0.1.2"
          }
        ],
        "techniques": [
          "T1547"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}