T1547.012: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe
, during boot.
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor
API call with an account that has SeLoadDriverPrivilege
enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver
Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory
API call, or referenced via a relative path from this directory. After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Positive Technologies products that cover the technique
Description of detection methods is not available yet
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor for abnormal DLLs that are loaded by |
---|
ID | DS0027 | Data source and component | Driver: Driver Load | Description | Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor process API calls to |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor Registry writes to |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit user accounts that can load or unload device drivers by disabling |
---|