T1547.012

Boot or Logon Autostart Execution: Print Processors

Other sub-techniques of Boot or Logon Autostart Execution (14)

ID	Name
T1547.001	Registry Run Keys / Startup Folder
T1547.002	Authentication Package
T1547.003	Time Providers
T1547.004	Winlogon Helper DLL
T1547.005	Security Support Provider
T1547.006	Kernel Modules and Extensions
T1547.007	Re-opened Applications
T1547.008	LSASS Driver
T1547.009	Shortcut Modification
T1547.010	Port Monitors
T1547.012	Print Processors
T1547.013	XDG Autostart Entries
T1547.014	Active Setup
T1547.015	Login Items

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.^[1] After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.^[2] The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

ID: T1547.012

Sub-technique of: T1547

ⓘ

Tactics: Persistence, Privilege Escalation

ⓘ

Platforms: Windows

ⓘ

Permissions Required: Administrator, SYSTEM

Contributors: Mathieu Tartare, ESET

Version: 1.0

Created: 05 October 2020

Last Modified: 09 October 2020

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G1006	Earth Lusca	Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint" /v Driver /d "spool.dll /f` to load malware as a Print Processor.^[3]
S0666	Gelsemium	Gelsemium can drop itself in `C:\Windows\System32\spool\prtprocs\x64\winprint.dll` to be loaded automatically by the spoolsv Windows service.^[4]
S0501	PipeMon	The PipeMon installer has modified the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors` to install PipeMon as a Print Processor.^[2]

Mitigations

ID	Mitigation	Description
M1018	User Account Management	Limit user accounts that can load or unload device drivers by disabling `SeLoadDriverPrivilege`.

Detection

ID	Data Source	Data Component	Detects
DS0027	Driver	Driver Load	Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
DS0022	File	File Creation	Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
DS0011	Module	Module Load	Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. New print processor DLLs are written to the print processor directory.
DS0009	Process	OS API Execution	Monitor process API calls to `AddPrintProcessor` and `GetPrintProcessorDirectory`.
DS0024	Windows Registry	Windows Registry Key Modification	Monitor Registry writes to `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver` or `HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver` as they pertain to print processor installations.