T1547.012 Print Processors Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PrintProcRegPath = @"Control\Print\Environments";
let KnownPrintProcessors = dynamic(["winprint.dll", "filterpipelineprintproc.dll", "lxkptpc.dll", "hpzpp4v5.dll"]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has PrintProcRegPath
| where RegistryKey has "Print Processors"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DLLValue = tostring(RegistryValueData)
| extend IsKnown = DLLValue has_any (KnownPrintProcessors)
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, IsKnown
| sort by Timestamp desc;
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has @"\spool\prtprocs"
| where FileName endswith ".dll"
| where ActionType == "FileCreated"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where FileName !in~ ("splwow64.exe", "PrintIsolationHost.exe", "printfilterpipelinesvc.exe", "conhost.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Creation Windows Registry: Registry Key Modification File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate printer driver installations from vendors (HP, Canon, Lexmark, Xerox) that install custom print processors via AddPrintProcessor API
Print management software (PaperCut, Pharos, Equitrac) that deploys custom print processors for job accounting and watermarking
Windows Update or WSUS deploying updated print processor DLLs as part of printer driver packages
IT administrators manually installing print processors using PowerShell or the Print Management console on print servers

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  TargetObject="HKLM\\SYSTEM\\*Control\\Print\\Environments\\*Print Processors*"
| eval is_driver_value=if(match(TargetObject, "\\Driver$"), 1, 0)
| eval is_known=if(match(Details, "(winprint|filterpipelineprintproc)\.dll"), 1, 0)
| eval processor_name=replace(TargetObject, ".*Print Processors\\\\(.+?)\\\\.*", "\1")
| table _time, host, User, Image, TargetObject, Details, is_driver_value, is_known, processor_name
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    TargetFilename="*\\spool\\prtprocs\\*"
    TargetFilename="*.dll"
  | table _time, host, User, Image, TargetFilename
  | sort - _time]
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    ParentImage="*\\spoolsv.exe"
    NOT (Image="*\\splwow64.exe" OR Image="*\\PrintIsolationHost.exe" OR Image="*\\printfilterpipelinesvc.exe")
  | table _time, host, User, Image, CommandLine, ParentImage
  | sort - _time]

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification File: File Creation Process: Process Creation Sysmon Event ID 13 Sysmon Event ID 11 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate printer driver installations from vendors that register custom print processors during setup
Enterprise print management solutions (PaperCut, Pharos) deploying custom print processors
Windows Update deploying printer driver updates that include print processor DLLs
IT administrators installing print processors on print servers using vendor-provided tools

Elastic Security (EQL)

eql

any where (
  (event.category == "registry" and event.type in ("creation", "change") and
   registry.path like "*Control\\Print\\Environments*Print Processors*") or
  (event.category == "file" and event.type == "creation" and
   file.path like "*\\spool\\prtprocs\\*" and file.name like "*.dll") or
  (event.category == "process" and event.type == "start" and
   process.parent.name == "spoolsv.exe" and
   process.name not in ("splwow64.exe", "PrintIsolationHost.exe", "printfilterpipelinesvc.exe", "conhost.exe"))
)

high severity high confidence

Data Sources

Windows Sysmon Elastic Endpoint Security Windows Security Events

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Legitimate printer driver installations from known vendors (HP, Lexmark, Canon) may create DLLs in the prtprocs directory and register registry keys
Windows Update or printer spooler patches may modify Print Processor registry entries during update cycles
Print management software such as PaperCut or PrinterLogic may spawn child processes from spoolsv.exe during print job processing

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  "QIDNAME"(qid) AS event_name,
  sourceip,
  CATEGORYNAME(category) AS category_name,
  "devicehostname" AS hostname,
  "RegistryKey" AS registry_key,
  "RegistryValue" AS registry_value,
  "RegistryValueData" AS registry_data,
  "TargetFilename" AS file_path,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "CommandLine" AS command_line
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (SELECT id FROM log_source_types WHERE name ILIKE '%Sysmon%' OR name ILIKE '%Windows%')
  AND starttime > NOW() - 86400000
  AND (
    (qid IN (SELECT id FROM qids WHERE name LIKE '%Registry%')
     AND ("RegistryKey" ILIKE '%Control\\Print\\Environments%'
          AND "RegistryKey" ILIKE '%Print Processors%'))
    OR
    (qid IN (SELECT id FROM qids WHERE name LIKE '%File Create%')
     AND "TargetFilename" ILIKE '%\\spool\\prtprocs\\%'
     AND "TargetFilename" ILIKE '%.dll%')
    OR
    (qid IN (SELECT id FROM qids WHERE name LIKE '%Process%')
     AND "ParentImage" ILIKE '%\\spoolsv.exe'
     AND "Image" NOT ILIKE '%\\splwow64.exe'
     AND "Image" NOT ILIKE '%\\PrintIsolationHost.exe'
     AND "Image" NOT ILIKE '%\\printfilterpipelinesvc.exe'
     AND "Image" NOT ILIKE '%\\conhost.exe')
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via QRadar DSM Windows Security Event Log

Required Tables

events

False Positives

Printer driver packages from enterprise print management solutions may register new print processors as part of normal deployment workflows
System administrators performing manual printer driver installation may trigger all three indicators simultaneously during legitimate maintenance
Some antivirus or DLP products inject into the print spooler service and may spawn child processes from spoolsv.exe

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/events")
| json auto
| where EventID in ("1", "11", "12", "13", "14")
| if (EventID == "13" OR EventID == "12",
     if (TargetObject matches "*Control\\Print\\Environments*Print Processors*", "registry_hit", "no_match"),
     if (EventID == "11",
         if (TargetFilename matches "*\\spool\\prtprocs\\*.dll", "file_hit", "no_match"),
         if (EventID == "1",
             if (ParentImage matches "*\\spoolsv.exe"
                 AND !(Image matches "*\\splwow64.exe")
                 AND !(Image matches "*\\PrintIsolationHost.exe")
                 AND !(Image matches "*\\printfilterpipelinesvc.exe")
                 AND !(Image matches "*\\conhost.exe"),
                 "process_hit", "no_match"),
             "no_match"))) as detection_type
| where detection_type != "no_match"
| eval dll_known = if (TargetObject matches "*(winprint|filterpipelineprintproc).dll*", "true", "false")
| eval processor_name = if (EventID == "13", replace(TargetObject, ".*Print Processors\\\\(.+?)\\\\.*", "$1"), "N/A")
| fields _messageTime, Computer, User, EventID, detection_type, TargetObject, Details, TargetFilename, Image, ParentImage, CommandLine, dll_known, processor_name
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (via Sumo Logic Sysmon source) Windows Event Logs

Required Tables

_sourceCategory=windows/sysmon

False Positives

Enterprise print server deployments may routinely install custom print processors as part of managed print service contracts
Print monitoring or auditing software may create DLLs in the prtprocs directory during initial setup
Windows printer compatibility layer (splwow64.exe) interactions during 32-bit application print jobs from spoolsv.exe may produce false alerts if filter list is incomplete

Google Chronicle / SecOps

yaral

rule t1547_012_print_processor_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1547.012 - Print Processor abuse for persistence and privilege escalation via registry modification, DLL drops in spool directory, or suspicious spoolsv.exe child processes"
    severity = "HIGH"
    mitre_attack_technique = "T1547.012"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    reference = "https://attack.mitre.org/techniques/T1547/012/"
    created = "2026-04-20"

  events:
    (
      // Signal 1: Registry modification to Print Processors path
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and re.regex($e.target.registry.registry_key, `(?i)Control\\Print\\Environments.*Print Processors`)
      )
      or
      // Signal 2: DLL created in print processor spool directory
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)\\spool\\prtprocs\\.*\.dll$`)
      )
      or
      // Signal 3: Unexpected child process from spoolsv.exe
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.principal.process.file.full_path = /(?i)spoolsv\.exe$/
        and not $e.target.process.file.full_path = /(?i)(splwow64|PrintIsolationHost|printfilterpipelinesvc|conhost)\.exe$/
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder Sysmon via Chronicle

Required Tables

UDM Events (REGISTRY_MODIFICATION, FILE_CREATION, PROCESS_LAUNCH)

False Positives

Legitimate OEM printer driver installations from vendors such as HP, Canon, or Xerox that include custom print processors registered during driver setup
Enterprise print management platforms (PaperCut MF, Pharos, uniFLOW) that deploy proprietary print processor DLLs across managed endpoints
Windows servicing operations during OS updates that modify or recreate print processor registry entries as part of component store servicing

CrowdStrike LogScale (CQL)

cql

// T1547.012 - Print Processor Abuse Detection
// Signal 1: Registry modifications to Print Processor paths
#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "RegistryOperationCreate"
| TargetObjectName = /(?i)Control\\Print\\Environments.*Print Processors/
| eval detection_type = "registry_modification"
| eval dll_known = if(TargetObjectValue = /(?i)(winprint|filterpipelineprintproc|lxkptpc|hpzpp4v5)\.dll/, "true", "false")
| table _time, ComputerName, UserName, #event_simpleName, TargetObjectName, TargetObjectValue, ImageFileName, CommandLine, detection_type, dll_known

| union [
  // Signal 2: DLL file creation in print processor spool directory
  #event_simpleName = "PeFileWritten"
  | TargetDirectoryName = /(?i)\\spool\\prtprocs\\/
  | TargetFileName = /(?i)\.dll$/
  | eval detection_type = "spool_dll_drop"
  | table _time, ComputerName, UserName, #event_simpleName, TargetDirectoryName, TargetFileName, ImageFileName, CommandLine, detection_type
]

| union [
  // Signal 3: Suspicious process spawned by spoolsv.exe
  #event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2"
  | ParentBaseFileName = "spoolsv.exe"
  | FileName != /(?i)(splwow64|PrintIsolationHost|printfilterpipelinesvc|conhost)\.exe$/
  | eval detection_type = "spoolsv_child_process"
  | table _time, ComputerName, UserName, #event_simpleName, FileName, CommandLine, ParentBaseFileName, SHA256HashData, detection_type
]

| sort(field=_time, order=desc)
| limit 500

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon Data Replicator (FDR) Falcon Event Stream

Required Tables

AsepValueUpdate RegistryOperationCreate PeFileWritten ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate printer driver packages for enterprise multifunction printers (MFPs) that register vendor print processors (e.g., hpzpp4v5.dll for HP, lxkptpc.dll for Lexmark) during normal installation
Windows Print Spooler service updates via Windows Update or WSUS may briefly modify print processor registry entries and restart spoolsv.exe with new child processes
Remote Desktop Printing or virtual printer drivers (e.g., Microsoft Print to PDF, Citrix Universal Print Driver) that legitimately spawn helper processes from spoolsv.exe

Print Processors

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections