Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe
, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver</code> Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-17 | Remote Access | Protects | T1547.012 | Print Processors |
AC-02 | Account Management | Protects | T1547.012 | Print Processors |
AC-03 | Access Enforcement | Protects | T1547.012 | Print Processors |
AC-05 | Separation of Duties | Protects | T1547.012 | Print Processors |
AC-06 | Least Privilege | Protects | T1547.012 | Print Processors |
CM-05 | Access Restrictions for Change | Protects | T1547.012 | Print Processors |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1547.012 | Print Processors |
SI-04 | System Monitoring | Protects | T1547.012 | Print Processors |