Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0074: Analytic 0074

Correlated registry modifications under Print Processors path, followed by DLL file creation within the system print processor directory, and DLL load by spoolsv.exe. Malicious execution often occurs during service restart or system boot, with SYSTEM-level privileges.

EnterpriseAN0074AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it describes a high-value Windows persistence/execution pattern around the print spooler: registry changes under the Print Processors path, a DLL appearing in the system print processor directory, and that DLL later being loaded by spoolsv.exe. For leaders, the practical issue is not just malware detection; it is whether the organization can correlate registry, file, process/module-load, service restart, and boot-time evidence well enough to recognize suspicious SYSTEM-level execution through a trusted Windows service.

Executive priority

Prioritize this as a validation point for Windows endpoint visibility and incident response readiness. Because execution may occur during service restart or system boot and can run with SYSTEM-level privileges, gaps in endpoint logging, module-load telemetry, or registry auditing can materially affect containment decisions and audit evidence. Security leaders should ask whether SOC coverage includes correlation across registry modification, DLL creation, and spoolsv.exe loading activity, and whether responders have a tested process for investigating suspicious print spooler behavior without disrupting business printing unnecessarily.

Technical view

For Windows environments, validate the ability to correlate three evidence points from the official analytic description: registry modifications under the Print Processors path, DLL file creation in the system print processor directory, and subsequent DLL load activity by spoolsv.exe. Because the supplied ATT&CK object does not provide a formal detection rule or tactic mapping, teams should treat this as a behavioral analytic pattern rather than a complete detection specification. IR teams should pay particular attention to timing around print spooler service restart and system boot, where the description notes malicious execution often occurs with SYSTEM-level privileges.

Likely telemetry

  • Windows registry modification events for Print Processors-related paths
  • File creation events for DLLs in the system print processor directory
  • Process and module-load telemetry showing DLL loads by spoolsv.exe
  • Service lifecycle or restart events for the print spooler service
  • System boot timing and endpoint event correlation data

Detection direction

  • Validate that telemetry can connect registry modification, DLL creation, and spoolsv.exe DLL load events on the same host within a meaningful time window.
  • Tune for suspicious sequencing rather than any single event alone, because legitimate print processor or driver activity may also modify print-related registry keys and files.
  • Review false positives from approved printer driver installation, print management tools, operating system updates, and administrative maintenance.
  • Confirm whether module-load visibility for spoolsv.exe is collected; without it, the final execution stage described by the analytic may be missed.
  • Include service restart and boot-time correlation, since the supplied description notes execution often occurs during those moments.

Mitigation priorities

  • Maintain disciplined change control for printer driver and print processor changes on Windows systems.
  • Restrict administrative access capable of modifying print processor registry locations or writing DLLs to system print processor directories.
  • Ensure endpoint logging and EDR policies capture registry, file creation, service lifecycle, and module-load evidence needed for this analytic.
  • Baseline approved print-related DLLs and registry entries so SOC and IR teams can distinguish routine administration from suspicious changes.
  • Prepare incident response procedures for investigating spoolsv.exe-related suspicious activity while accounting for business impact to printing services.
Analyst notes and limits

The supplied object is a detection analytic, not a technique description, and it has no supplied relationships or tactic mapping. The strongest defensive value is in coverage validation: can the SOC prove that registry, file, module-load, service restart, and boot-time telemetry are available and correlated for Windows print spooler behavior? Local baselining is important because legitimate print administration can resemble parts of this pattern.

Official detection content was not provided, and no relationship context was supplied. This take therefore does not assert a specific ATT&CK tactic, adversary use, active exploitation, affected non-Windows platforms, or guaranteed detection outcome. Organizations must validate applicability against their own Windows configurations, logging depth, and print administration practices.

Official MITRE ATT&CK definition

Analytic 0074

Correlated registry modifications under Print Processors path, followed by DLL file creation within the system print processor directory, and DLL load by spoolsv.exe. Malicious execution often occurs during service restart or system boot, with SYSTEM-level privileges.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c9cfcd799e27b717...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c9cfcd799e27…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0074
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use