atomic-red-team icon indicating copy to clipboard operation
atomic-red-team copied to clipboard
verified publisher icon redcanaryco

Idea: Add tests for T1547/012 addition of print processor

Open tbennett6421 opened this issue 3 years ago • 0 comments

Use-cases

I'm unsure if this is the correct template or not. Should this be Idea or Test?

No test exists in the repo to support privesc/persistence via the print processors. This is an important test that can be used to obtain privilege escalation or install an implant for persistence.

Proposal

Ideally we should create a test for the following

  1. obtaining SeLoadDriverPrivilege and calling addprintprocessor to install a print processor
  2. resolving the correct path, and installing a print processor using the registry.

References

https://attack.mitre.org/techniques/T1547/012/ https://stmxcsr.com/persistence/print-processor.html

Happy to add a test, if/when I have the resources

tbennett6421 avatar Jun 06 '22 20:06 tbennett6421