Detect Print Processors in CrowdStrike LogScale
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding a Registry key under HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors with a Driver value pointing to the malicious DLL. The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.012 Print Processors
- Canonical reference
- https://attack.mitre.org/techniques/T1547/012/
LogScale Detection Query
// T1547.012 - Print Processor Abuse Detection
// Signal 1: Registry modifications to Print Processor paths
#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "RegistryOperationCreate"
| TargetObjectName = /(?i)Control\\Print\\Environments.*Print Processors/
| eval detection_type = "registry_modification"
| eval dll_known = if(TargetObjectValue = /(?i)(winprint|filterpipelineprintproc|lxkptpc|hpzpp4v5)\.dll/, "true", "false")
| table _time, ComputerName, UserName, #event_simpleName, TargetObjectName, TargetObjectValue, ImageFileName, CommandLine, detection_type, dll_known
| union [
// Signal 2: DLL file creation in print processor spool directory
#event_simpleName = "PeFileWritten"
| TargetDirectoryName = /(?i)\\spool\\prtprocs\\/
| TargetFileName = /(?i)\.dll$/
| eval detection_type = "spool_dll_drop"
| table _time, ComputerName, UserName, #event_simpleName, TargetDirectoryName, TargetFileName, ImageFileName, CommandLine, detection_type
]
| union [
// Signal 3: Suspicious process spawned by spoolsv.exe
#event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2"
| ParentBaseFileName = "spoolsv.exe"
| FileName != /(?i)(splwow64|PrintIsolationHost|printfilterpipelinesvc|conhost)\.exe$/
| eval detection_type = "spoolsv_child_process"
| table _time, ComputerName, UserName, #event_simpleName, FileName, CommandLine, ParentBaseFileName, SHA256HashData, detection_type
]
| sort(field=_time, order=desc)
| limit 500Detects T1547.012 Print Processor abuse in CrowdStrike Falcon using three LogScale CQL signals unified via union: (1) registry write events targeting the Windows Print Processor configuration path under HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments, (2) PE/DLL file writes into the print processor spool directory, and (3) ProcessRollup2 events where spoolsv.exe spawns unexpected child processes. Results include known-DLL classification to help prioritize alerts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate printer driver packages for enterprise multifunction printers (MFPs) that register vendor print processors (e.g., hpzpp4v5.dll for HP, lxkptpc.dll for Lexmark) during normal installation
- Windows Print Spooler service updates via Windows Update or WSUS may briefly modify print processor registry entries and restart spoolsv.exe with new child processes
- Remote Desktop Printing or virtual printer drivers (e.g., Microsoft Print to PDF, Citrix Universal Print Driver) that legitimately spawn helper processes from spoolsv.exe
Other platforms for T1547.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Print Processor Registry Key Creation
Expected signal: Sysmon Event ID 12: Registry Key Created for TestProcessor_df00tech subkey. Sysmon Event ID 13: Registry Value Set for Driver value with Details=winprint.dll. Security Event ID 4688 with CommandLine containing reg add and the full registry path.
- Test 2DLL Drop in Print Processor Directory
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\System32\spool\prtprocs\x64\df00tech_test_printproc.dll, Image=cmd.exe. DeviceFileEvents with ActionType=FileCreated in the prtprocs directory.
- Test 3PowerShell Print Processor Registration (Earth Lusca Style)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with full command line. Sysmon Event ID 12: Registry Key Created. Sysmon Event ID 13: Registry Value Set. PowerShell ScriptBlock Log Event ID 4104 capturing the registry manipulation.
- Test 4Enumerate Existing Print Processors for Reconnaissance
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing reg query and Print Processors path. Security Event ID 4688 with same details. No registry modification events (read-only operation).
References (7)
- https://attack.mitre.org/techniques/T1547/012/
- https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor
- https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors
- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
- https://www.trendmicro.com/en_us/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
Unlock Pro Content
Get the full detection package for T1547.012 including response playbook, investigation guide, and atomic red team tests.