Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1547.012: Print Processors

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.[1]

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.[2] After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.[3]

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

EnterpriseT1547.012Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Print Processors is a Windows persistence and privilege-escalation technique where the print spooler can be made to load a DLL at boot under SYSTEM-level permissions. For leaders, the material issue is not printing itself; it is that a trusted Windows service can become a durable autostart path that survives reboot and complicates containment if account privilege and host-change visibility are weak.

Executive priority

Prioritize this where Windows servers or workstations run the print spooler and where privileged account controls are not tightly governed. The key business questions are: who can enable SeLoadDriverPrivilege, who can change print processor registry paths or files, and can the SOC prove when spoolsv.exe loads unexpected DLLs? This technique is relevant to resilience and audit readiness because it tests least-privilege enforcement, change control, and endpoint telemetry quality for boot-time persistence.

Technical view

Validate coverage on Windows for changes to HKLM\SYSTEM\[CurrentControlSet or ControlSet001]\Control\Print\Environments\[architecture]\Print Processors\[name]\Driver, creation or modification of DLLs in the system print-processor directory or relative paths from it, and spoolsv.exe service restart or boot-time DLL loading. ATT&CK provides no official detection text for this object, but the relationship to DET0026 indicates a dedicated Windows detection strategy exists for this behavior. Triage should focus on whether the print processor is expected, signed or approved by local policy, recently introduced, and associated with legitimate printer administration activity.

Likely telemetry

  • Windows Registry auditing for Print Processors keys and Driver values under HKLM\SYSTEM control sets
  • File creation and modification events for DLLs in the print-processor directory or paths referenced from that directory
  • Service telemetry for print spooler startup, restart, and boot-time activity
  • Process/module telemetry showing DLLs loaded by spoolsv.exe
  • Privilege and account telemetry related to accounts with SeLoadDriverPrivilege

Detection direction

  • Baseline approved print processors per Windows architecture and alert on new or modified Driver values.
  • Correlate registry changes with DLL creation and a subsequent print spooler restart or system boot.
  • Tune out expected enterprise printer administration, but require evidence of an authorized change ticket or known administrator action.
  • Look for blind spots where endpoint tools do not capture spoolsv.exe module loads, registry value changes, or early boot activity.
  • Use the related DET0026 detection strategy as a validation reference, while confirming local telemetry actually supports it.

Mitigation priorities

  • Enforce User Account Management and least privilege for accounts that can install or register print processors.
  • Review and tightly limit accounts with SeLoadDriverPrivilege.
  • Apply change-control expectations to print processor registry paths and DLL placement locations.
  • Regularly review privileged account lifecycle, including creation, modification, deactivation, and privilege assignment.
  • During incident response, verify persistence cleanup includes both the registry print processor registration and the referenced DLL location.
Analyst notes and limits

This is a sub-technique of Boot or Logon Autostart Execution and applies to Windows. ATT&CK relationships show use by Earth Lusca and by software entries PipeMon and Gelsemium, but that should be treated as historical technique context rather than proof of current activity in any environment.

The supplied ATT&CK object does not include official detection guidance. Local conclusions require host telemetry, approved print configuration baselines, privilege assignments, and change-management records. Do not assume exposure or compromise solely from the existence of the print spooler or print processors.

Official MITRE ATT&CK definition

Print Processors

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.[1]

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the GetPrintProcessorDirectory API call, or referenced via a relative path from this directory.[2] After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.[3]

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1547 Boot or Logon Autostart Execution This object subtechnique of Boot or Logon Autostart Execution.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1006: Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]

Malware Enterprise

S0666: Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[1]

Windows
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0026: Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence Enterprise uses · Malware S0666: Gelsemium Enterprise uses · Group G1006: Earth Lusca Enterprise subtechnique of · Technique T1547: Boot or Logon Autostart Execution Enterprise uses · Malware S0501: PipeMon Enterprise mitigates · Mitigation M1018: User Account Management Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
a1805f13d89605c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle a1805f13d896…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft Intro Print Processors

    Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.

    Open source URL
  2. [2]
    Microsoft AddPrintProcessor May 2018

    Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020.

    Open source URL
  3. [3]
    ESET PipeMon May 2020

    Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.

    Open source URL
  4. [4]
    mitre-attack T1547.012
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use