Boot or Logon Autostart Execution: Print Processors
Other sub-techniques of Boot or Logon Autostart Execution (15)
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor
API call with an account that has SeLoadDriverPrivilege
enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver
Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory
API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Procedure Examples |
|
Name | Description |
---|---|
Gelsemium |
Gelsemium can drop itself in |
Earth Lusca |
Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022) |
PipeMon |
The PipeMon installer has modified the Registry key |
Mitigations |
|
Mitigation | Description |
---|---|
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Detection
Monitor process API calls to AddPrintProcessor
and GetPrintProcessorDirectory
. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver
or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver
as they pertain to print processor installations.
Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.
References
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС
из-за
возможности добавления процессора печати
в ОС Windows
Повышение привилегий
НСД
|
|
|
Повышение привилегий в ОС
из-за
возможности добавления процессора печати
в ОС Windows
Повышение привилегий
Целостность
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.