chore(rules): Unify usage of the load_unsigned_or_untrusted_dll macro

rabbitstack · rabbitstack · commit da5705d89bab · 2025-04-11T17:38:43.000+02:00
diff --git a/rules/persistence_suspicious_port_monitor_loaded.yml b/rules/persistence_suspicious_port_monitor_loaded.yml
@@ -1,6 +1,6 @@
 name: Suspicious port monitor loaded
 id: d6ab6bfa-1a97-46cb-a69a-7a6c98a699f1
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the loading of an unsigned DLL by the print spool service. Adversaries may use port
   monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
@@ -18,10 +18,8 @@ references:
   - https://www.ired.team/offensive-security/persistence/t1013-addmonitor
 
 condition: >
-  load_dll and ps.name ~= 'spoolsv.exe'
+  (load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe'
     and
   thread.callstack.symbols imatches ('localspl.dll!SplAddMonitor*', 'spoolsv.exe!PrvAddMonitor*')
-    and
-  (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
 
 min-engine-version: 2.2.0
