Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors) Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through theAddPrintProcessor
API call with an account that hasSeLoadDriverPrivilege
enabled. Alternatively, a print processor can be registered to the print spooler service by adding theHKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver
Registry key that points to the DLL. For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with theGetPrintProcessorDirectory
API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors. The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
Note: The test assumes a x64 Windows operating system.
The payload source code is based on a blog post by stmxcsr: https://stmxcsr.com/persistence/print-processor.html
Supported Platforms: Windows
auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
| Name | Description | Type | Default Value | |——|————-|——|—————| | restart | set to 1 if you want the computer to reboot as part of the test | integer | 0|
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
7
8
if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
net stop spooler
Copy-Item "$PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll" C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
net start spooler
if(#{restart}){
Restart-Computer
}
1
2
3
4
5
net stop spooler
rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
net start spooler