feat(rules):Potential port monitor or print processor persistence via registry modification

Identifies port monitor or print process registry modifications that would allow adversaries to run malicious DLLs during system boot.

Author: rabbitstack

rules/persistence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml

@@ -0,0 +1,33 @@
+name: Potential port monitor or print processor persistence via registry modification
+id: de04ae6b-8141-41af-9baa-15630b5954cc
+version: 1.0.0
+description: |
+  Identifies port monitor or print process registry modifications that would allow
+  adversaries to run malicious DLLs during system boot.
+labels:
+  tactic.id: TA0003
+  tactic.name: Persistence
+  tactic.ref: https://attack.mitre.org/tactics/TA0003/
+  technique.name: Boot or Logon Autostart Execution
+  technique.ref: https://attack.mitre.org/techniques/T1547/
+  subtechnique.id: T1547.010
+  subtechnique.name: Port Monitors
+  subtechnique.ref: https://attack.mitre.org/techniques/T1547/010/
+references:
+  - https://stmxcsr.com/persistence/print-processor.html
+  - https://www.ired.team/offensive-security/persistence/t1013-addmonitor
+
+condition: >
+  (modify_registry) and ps.sid != 'S-1-5-18'
+    and
+  registry.path imatches
+    (
+      'HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*',
+      'HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*'
+    )
+
+output: >
+  Port monitor or print processor DLL registered under registry key %registry.path by process %ps.exe
+severity: high
+
+min-engine-version: 2.4.0