T1547.012 Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor
API call with an account that has SeLoadDriverPrivilege
enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver
Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory
API call.1 After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.2 The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Item | Value |
---|---|
ID | T1547.012 |
Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
Tactics | TA0003, TA0004 |
Platforms | Windows |
Permissions required | Administrator, SYSTEM |
Version | 1.0 |
Created | 05 October 2020 |
Last Modified | 09 October 2020 |
Procedure Examples
ID | Name | Description |
---|---|---|
G1006 | Earth Lusca | Earth Lusca has added the Registry key HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f to load malware as a Print Processor.4 |
S0666 | Gelsemium | Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.3 |
S0501 | PipeMon | The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.2 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1018 | User Account Management | Limit user accounts that can load or unload device drivers by disabling SeLoadDriverPrivilege . |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0027 | Driver | Driver Load |
DS0022 | File | File Creation |
DS0011 | Module | Module Load |
DS0009 | Process | OS API Execution |
DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020. ↩
-
Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. ↩↩
-
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩