|T1547.001||Registry Run Keys / Startup Folder|
|T1547.004||Winlogon Helper DLL|
|T1547.005||Security Support Provider|
|T1547.006||Kernel Modules and Extensions|
|T1547.013||XDG Autostart Entries|
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the
AddPrintProcessor API call with an account that has
SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print
spooler service by adding the
HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user
defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can
be found with the
GetPrintProcessorDirectory API call. After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to
run. The print spooler service
runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Earth Lusca has added the Registry key
Gelsemium can drop itself in
The PipeMon installer has modified the Registry key
|M1018||User Account Management||
Limit user accounts that can load or unload device drivers by disabling
|ID||Data Source||Data Component||Detects|
Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Monitor for newly constructed files that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. New print processor DLLs are written to the print processor directory.
|DS0009||Process||OS API Execution||
Monitor process API calls to
|DS0024||Windows Registry||Windows Registry Key Modification||
Monitor Registry writes to