Find sigma rule
Attack: Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe
, during boot.(Citation: Microsoft Intro Print Processors)
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor
API call with an account that has SeLoadDriverPrivilege
enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver
Registry key that points to the DLL.
For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory
API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
MITRE
Tactic
- persistence
- privilege-escalation
technique
- T1547.012
Test : Print Processors
OS
- windows
Description:
Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors. The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
Note: The test assumes a x64 Windows operating system.
The payload source code is based on a blog post by stmxcsr: https://stmxcsr.com/persistence/print-processor.html
Executor
powershell
Sigma Rule
- registry_set_add_port_monitor.yml (id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e)