From 43176a64d331e31e37c3896e5cdbe571970adea6 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 11 Apr 2025 17:38:13 +0200 Subject: [PATCH 1/2] feat(rules): Suspicious print processor loaded rule Identifies when the print spooler service loads unsigned or untrusted DLL and the callstack pattern indicates the print processor is loaded. Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. --- ...ence_suspicious_print_processor_loaded.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/persistence_suspicious_print_processor_loaded.yml diff --git a/rules/persistence_suspicious_print_processor_loaded.yml b/rules/persistence_suspicious_print_processor_loaded.yml new file mode 100644 index 000000000..7f67a9e21 --- /dev/null +++ b/rules/persistence_suspicious_print_processor_loaded.yml @@ -0,0 +1,32 @@ +name: Suspicious print processor loaded +id: 3e0f5ef7-8a0a-4604-b2bf-d09606f45483 +version: 1.0.0 +description: | + Identifies when the print spooler service loads unsigned or untrusted DLL and the callstack pattern + indicates the print processor is loaded. Adversaries may abuse print processors to run malicious DLLs + during system boot for persistence and/or privilege escalation. +labels: + tactic.id: TA0003 + tactic.name: Persistence + tactic.ref: https://attack.mitre.org/tactics/TA0003/ + technique.id: T1547 + technique.name: Boot or Logon Autostart Execution + technique.ref: https://attack.mitre.org/techniques/T1547/ + subtechnique.id: T1547.012 + subtechnique.name: Print Processors + subtechnique.ref: https://attack.mitre.org/techniques/T1547/012/ +references: + - https://stmxcsr.com/persistence/print-processor.html + +condition: > + (load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe' + and + thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|localspl.dll|spoolsv.exe|kernel32.dll|ntdll.dll' + and + thread.callstack.symbols imatches ('localspl.dll!SplSetPrinterData') and thread.callstack.symbols not imatches ('KernelBase.dll!RegisterGPNotificationInternal') + +output: > + Print spooler service loaded suspicious print processor DLL %image.path +severity: high + +min-engine-version: 2.4.0 From da5705d89bab99923b30fe5179e095a7887a5b34 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 11 Apr 2025 17:38:43 +0200 Subject: [PATCH 2/2] chore(rules): Unify usage of the load_unsigned_or_untrusted_dll macro --- rules/persistence_suspicious_port_monitor_loaded.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/persistence_suspicious_port_monitor_loaded.yml b/rules/persistence_suspicious_port_monitor_loaded.yml index e1b0a50aa..f0bb210f4 100644 --- a/rules/persistence_suspicious_port_monitor_loaded.yml +++ b/rules/persistence_suspicious_port_monitor_loaded.yml @@ -1,6 +1,6 @@ name: Suspicious port monitor loaded id: d6ab6bfa-1a97-46cb-a69a-7a6c98a699f1 -version: 1.0.0 +version: 1.0.1 description: | Identifies the loading of an unsigned DLL by the print spool service. Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. @@ -18,10 +18,8 @@ references: - https://www.ired.team/offensive-security/persistence/t1013-addmonitor condition: > - load_dll and ps.name ~= 'spoolsv.exe' + (load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe' and thread.callstack.symbols imatches ('localspl.dll!SplAddMonitor*', 'spoolsv.exe!PrvAddMonitor*') - and - (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') min-engine-version: 2.2.0