Suspicious Print Processor Driver Registry Modification

Rule Info

Name
Suspicious Print Processor Driver Registry Modification
Author
X__Junior
Description
Detects modifications to Windows Print Processor Driver registry values where the configured DLL is not the default winprint.dll. This may indicate abuse of Print Processors for persistence or privilege escalation, as used by malware such as SprySOCKS.
Date
2026-06-26 00:00:00
Modified
None
Id
7934a8e7-7872-4da2-84d3-afd186d6013d
Tags
attack.privilege-escalation attack.persistence attack.t1547.012
Type
Nextron Sigma feed only (private)

Rule History