Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver</code> Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.012 | Print Processors |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.012 | Print Processors |
Comments
This diagnostic statement protects against Print Processors through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-05 | Access Restrictions for Change | mitigates | T1547.012 | Print Processors | |
| AC-17 | Remote Access | mitigates | T1547.012 | Print Processors | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1547.012 | Print Processors | |
| SI-04 | System Monitoring | mitigates | T1547.012 | Print Processors | |
| AC-02 | Account Management | mitigates | T1547.012 | Print Processors | |
| AC-03 | Access Enforcement | mitigates | T1547.012 | Print Processors | |
| AC-05 | Separation of Duties | mitigates | T1547.012 | Print Processors | |
| AC-06 | Least Privilege | mitigates | T1547.012 | Print Processors |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1547.012 | Print Processors |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1547.012 | Print Processors |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|