
Summary
This analytic rule is designed to detect suspicious modifications or new entries within the Print Processor registry path in Windows systems. By monitoring registry activity data captured by Sysmon under Event IDs 12 and 13, the rule identifies changes in the critical registry path associated with Print Processors. The significance of this detection is underscored by the fact that malicious actors, particularly APT groups like Turla, have been known to exploit this registry area for establishing persistence and executing privilege escalation attacks. If such registry alterations are confirmed to be malicious, they can allow attackers to run harmful DLL payloads by simply restarting the `spoolsv.exe` process, potentially granting them control over the infected machine. The implementation requires proper configuration of endpoint data models to ensure comprehensive reporting of registry access activities.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Process
ATT&CK Techniques
- T1547
- T1547.012
Created: 2024-11-13