MITRE ATT&CK Technique
Description
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors) Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL. For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-05T13:24:49.780Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse print processors to run malicious DLLs '
'during system boot for persistence and/or privilege '
'escalation. Print processors are DLLs that are loaded by the '
'print spooler service, `spoolsv.exe`, during boot.(Citation: '
'Microsoft Intro Print Processors)\n'
'\n'
'Adversaries may abuse the print spooler service by adding '
'print processors that load malicious DLLs at startup. A print '
'processor can be installed through the '
'<code>AddPrintProcessor</code> API call with an account that '
'has <code>SeLoadDriverPrivilege</code> enabled. '
'Alternatively, a print processor can be registered to the '
'print spooler service by adding the '
'<code>HKLM\\SYSTEM\\\\[CurrentControlSet or '
'ControlSet001]\\Control\\Print\\Environments\\\\[Windows '
'architecture: e.g., Windows x64]\\Print Processors\\\\[user '
'defined]\\Driver</code> Registry key that points to the DLL.\n'
'\n'
'For the malicious print processor to be correctly installed, '
'the payload must be located in the dedicated system '
'print-processor directory, that can be found with the '
'<code>GetPrintProcessorDirectory</code> API call, or '
'referenced via a relative path from this directory.(Citation: '
'Microsoft AddPrintProcessor May 2018) After the print '
'processors are installed, the print spooler service, which '
'starts during boot, must be restarted in order for them to '
'run.(Citation: ESET PipeMon May 2020)\n'
'\n'
'The print spooler service runs under SYSTEM level '
'permissions, therefore print processors installed by an '
'adversary may run under elevated privileges.',
'external_references': [{'external_id': 'T1547.012',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1547/012'},
{'description': 'Microsoft. (2018, May 31). '
'AddPrintProcessor function. '
'Retrieved October 5, 2020.',
'source_name': 'Microsoft AddPrintProcessor May 2018',
'url': 'https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor'},
{'description': 'Microsoft. (2023, June 26). '
'Introduction to print processors. '
'Retrieved September 27, 2023.',
'source_name': 'Microsoft Intro Print Processors',
'url': 'https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors'},
{'description': 'Tartare, M. et al. (2020, May 21). '
'No “Game over” for the Winnti Group. '
'Retrieved August 24, 2020.',
'source_name': 'ESET PipeMon May 2020',
'url': 'https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/'}],
'id': 'attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:35.261Z',
'name': 'Print Processors',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Mathieu Tartare, ESET', 'Tahseen Bin Taj'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}