Description
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Platforms
Mitigations (1)
User Account ManagementM1018
Limit user accounts that can load or unload device drivers by disabling SeLoadDriverPrivilege.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Prin... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can drop itself in <code>C:\Windows\System32\spool\prtprocs\x64\winprint.dll</code> to be loaded ... |
| S0501 | PipeMon | Malware | The [PipeMon](https://attack.mitre.org/software/S0501) installer has modified the Registry key <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Envir... |
References
- Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.
- Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
Frequently Asked Questions
What is T1547.012 (Print Processors)?
T1547.012 is a MITRE ATT&CK technique named 'Print Processors'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `sp...
How can T1547.012 be detected?
Detection of T1547.012 (Print Processors) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.012?
There are 1 documented mitigations for T1547.012. Key mitigations include: User Account Management.
Which threat groups use T1547.012?
Known threat groups using T1547.012 include: Earth Lusca.