Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0580: Analytic 0580

Detects suspicious registry modifications under `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*\Driver`, DLL loads by `spoolsv.exe` of non-standard or unsigned modules, and abnormal usage of the `AddMonitor` API by non-installation processes. This pattern often indicates an attempt to persist a malicious DLL via the print monitor mechanism, particularly when correlated with creation of files in `C:\Windows\System32` not tied to known patches or installations.

EnterpriseAN0580AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a Windows persistence pattern involving the print monitor mechanism. For leaders, the practical risk is that a malicious DLL can be made to load through the Print Spooler service, which may allow unwanted code to survive reboots and blend into normal operating system activity. The value of this analytic is not a single alert, but correlation across registry changes, DLL loading by spoolsv.exe, AddMonitor API usage, and unexpected file creation in C:\Windows\System32.

Executive priority

Prioritize this as a Windows endpoint resilience and incident response readiness issue. Security leaders should ask whether the organization can prove visibility into sensitive registry modifications, service-related DLL loading, unsigned or non-standard module loads, and changes to System32 outside approved patching or installation activity. This is also useful compliance evidence for monitoring privileged system changes and validating that endpoint telemetry supports persistence investigations.

Technical view

For SOC, detection engineering, and IR teams, validate telemetry for suspicious modifications under HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*\Driver, DLL loads by spoolsv.exe, abnormal AddMonitor API usage by processes that are not expected installers, and creation of files in C:\Windows\System32 that do not align with known patches or software installations. Because the ATT&CK object provides no separate detection logic and no relationship context, teams should treat this as a detection concept requiring local baselining and correlation rather than a complete rule.

Likely telemetry

  • Windows registry modification events for HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*\Driver
  • Process and module-load telemetry showing DLLs loaded by spoolsv.exe
  • Code-signing or file reputation metadata for loaded DLLs, especially unsigned or non-standard modules
  • API monitoring or endpoint telemetry capable of identifying AddMonitor usage and the calling process
  • File creation telemetry for C:\Windows\System32

Detection direction

  • Correlate registry changes to print monitor Driver values with subsequent spoolsv.exe DLL loads.
  • Alert more strongly when spoolsv.exe loads non-standard or unsigned modules associated with recently created files.
  • Review AddMonitor API usage from processes that are not recognized installation or administration workflows.
  • Suppress or tune expected activity tied to approved printer software installation, Windows updates, and known patching windows.
  • Validate whether endpoint tooling captures module loads and registry changes with enough fidelity; without both, coverage may be incomplete.

Mitigation priorities

  • Confirm least-privilege controls around who can install or modify printer-related components on Windows systems.
  • Restrict and monitor unauthorized system-level changes to print monitor registry locations and C:\Windows\System32.
  • Maintain approved software installation and patch records so detections can separate legitimate administrative changes from suspicious persistence behavior.
  • Ensure endpoint detection and response coverage includes registry, module-load, process, and file-creation telemetry relevant to this analytic.
  • Prepare incident response procedures for validating suspicious spoolsv.exe module loads and related registry/file changes.
Analyst notes and limits

The official description identifies a Windows-focused detection analytic for suspicious print monitor persistence indicators. The strongest defensive use is correlation: registry modification plus DLL load behavior plus abnormal AddMonitor use plus unexpected System32 file creation. No ATT&CK relationship context was supplied, so this take does not infer associated techniques, threat groups, campaigns, or tactics.

Official detection content is not provided, tactics are not specified, and no relationships are supplied. This summary therefore cannot claim a complete detection rule, active exploitation, attribution, impact, or guaranteed coverage. Local environment baselines, approved printer software behavior, and patch/change records are required to make this actionable.

Official MITRE ATT&CK definition

Analytic 0580

Detects suspicious registry modifications under `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*\Driver`, DLL loads by `spoolsv.exe` of non-standard or unsigned modules, and abnormal usage of the `AddMonitor` API by non-installation processes. This pattern often indicates an attempt to persist a malicious DLL via the print monitor mechanism, particularly when correlated with creation of files in `C:\Windows\System32` not tied to known patches or installations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2382a5f8c383d7b4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2382a5f8c383…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0580
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use