T1547.012 Elastic Security · Elastic

Detect Print Processors in Elastic Security

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding a Registry key under HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors with a Driver value pointing to the malicious DLL. The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.012 Print Processors
Canonical reference
https://attack.mitre.org/techniques/T1547/012/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  (event.category == "registry" and event.type in ("creation", "change") and
   registry.path like "*Control\\Print\\Environments*Print Processors*") or
  (event.category == "file" and event.type == "creation" and
   file.path like "*\\spool\\prtprocs\\*" and file.name like "*.dll") or
  (event.category == "process" and event.type == "start" and
   process.parent.name == "spoolsv.exe" and
   process.name not in ("splwow64.exe", "PrintIsolationHost.exe", "printfilterpipelinesvc.exe", "conhost.exe"))
)
high severity high confidence

Detects T1547.012 Print Processor abuse via three signals: (1) registry key creation or modification under the Print Processors path, (2) DLL file creation in the print processor spool directory, and (3) unexpected child processes spawned by spoolsv.exe which loads print processors at boot under SYSTEM context.

Data Sources

Windows SysmonElastic Endpoint SecurityWindows Security Events

Required Tables

logs-endpoint.events.registry-*logs-endpoint.events.file-*logs-endpoint.events.process-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legitimate printer driver installations from known vendors (HP, Lexmark, Canon) may create DLLs in the prtprocs directory and register registry keys
  • Windows Update or printer spooler patches may modify Print Processor registry entries during update cycles
  • Print management software such as PaperCut or PrinterLogic may spawn child processes from spoolsv.exe during print job processing
Download portable Sigma rule (.yml)

Other platforms for T1547.012

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Print Processor Registry Key Creation

    Expected signal: Sysmon Event ID 12: Registry Key Created for TestProcessor_df00tech subkey. Sysmon Event ID 13: Registry Value Set for Driver value with Details=winprint.dll. Security Event ID 4688 with CommandLine containing reg add and the full registry path.

  2. Test 2DLL Drop in Print Processor Directory

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\System32\spool\prtprocs\x64\df00tech_test_printproc.dll, Image=cmd.exe. DeviceFileEvents with ActionType=FileCreated in the prtprocs directory.

  3. Test 3PowerShell Print Processor Registration (Earth Lusca Style)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with full command line. Sysmon Event ID 12: Registry Key Created. Sysmon Event ID 13: Registry Value Set. PowerShell ScriptBlock Log Event ID 4104 capturing the registry manipulation.

  4. Test 4Enumerate Existing Print Processors for Reconnaissance

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing reg query and Print Processors path. Security Event ID 4688 with same details. No registry modification events (read-only operation).

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1547.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.010Port MonitorsT1574.001DLLT1543.003Windows ServiceT1068Exploitation for Privilege EscalationT1112Modify RegistryT1036Masquerading

Same Tactic: Persistence

Popular Detections