Skip to content

DET0026 Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence

Item Value
ID DET0026
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1547.012 (Print Processors)

Analytics

Windows

AN0074

Correlated registry modifications under Print Processors path, followed by DLL file creation within the system print processor directory, and DLL load by spoolsv.exe. Malicious execution often occurs during service restart or system boot, with SYSTEM-level privileges.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
TimeWindow Correlate Registry + DLL Write + Module Load within a short boot or spooler restart window (e.g., 5 minutes).
PrintProcessorDirectory System-specific path derived from GetPrintProcessorDirectory API call; may differ across Windows versions or configurations.
DLLNamePattern Some environments may use custom or non-standard DLL naming conventions for print processors. Allowlist known values.
SignedImageValidation Check Authenticode signature and issuer chain for loaded DLLs to reduce false positives.
ServiceRestartTrigger Monitor for spoolsv.exe restart events that trigger malicious print processor loading.