← Back to Explore
T1547.012
Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors) Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>...
Windows
8
Detections
2
Sources
1
Threat Actors
BY SOURCE
7splunk_escu1elastic
PROCEDURES (5)
Registry2 detections
Auto-extracted: 2 detections for registry
Service2 detections
Auto-extracted: 2 detections for service
Unusual2 detections
Auto-extracted: 2 detections for unusual
Suspicious1 detections
Auto-extracted: 1 detections for suspicious
Service1 detections
Auto-extracted: 1 detections for service
THREAT ACTORS (1)
DETECTIONS (8)
Potential Port Monitor or Print Processor Registration Abuse
elasticmedium
Print Processor Registry Autostart
splunk_escu
Print Spooler Adding A Printer Driver
splunk_escu
Print Spooler Failed to Load a Plug-in
splunk_escu
Spoolsv Spawning Rundll32
splunk_escu
Spoolsv Suspicious Loaded Modules
splunk_escu
Spoolsv Writing a DLL
splunk_escu
Spoolsv Writing a DLL - Sysmon
splunk_escu