1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Autostart Execution
  5. Print Processors

Boot or Logon Autostart Execution: Print Processors

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.[1]

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.[2] After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.[3]

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

ID: T1547.012
Sub-technique of:  T1547
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Mathieu Tartare, ESET; Tahseen Bin Taj
Version: 1.1
Created: 05 October 2020
Last Modified: 04 October 2023

Procedure Examples

ID Name Description
G1006 Earth Lusca

Earth Lusca has added the Registry key HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint" /v Driver /d "spool.dll /f to load malware as a Print Processor.[4]
S0666 Gelsemium

Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.[5]
S0501 PipeMon

The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.[3]

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit user accounts that can load or unload device drivers by disabling SeLoadDriverPrivilege.

Detection

ID Data Source Data Component Detects
DS0027 Driver Driver Load

Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
DS0022 File File Creation

Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
DS0011 Module Module Load

Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. New print processor DLLs are written to the print processor directory.
DS0009 Process OS API Execution

Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory.
DS0024 Windows Registry Windows Registry Key Modification

Monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\[Windows architecture]\Print Processors\[user defined]\Driver as they pertain to print processor installations.

References

  1. Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.
  2. Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.
  3. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  1. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  2. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.