ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT005
  • Created: 25th May 2024
  • Updated: 19th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Print Spooler Service

The Spool files can typically be found in the following directory: C:\\Windows\\System32\\spool.

A spool file with a .SPL extension contains the actual print data. This data can be in various formats, including RAW, EMF (Enhanced Metafile), or other printer-specific formats.

The spool file is stored in the spool directory associated with the printer until the print job is completed. Once the print job is finished and successfully printed, the .SPL file is typically deleted.

A job control language file with a .SHD extension contains metadata about the print job, such as document properties, print settings, and information about the account that submitted the print job.

The .SHD file is also stored in the spool directory during the print job's processing. Unlike the .SPL file, the .SHD file can sometimes persist longer, but it is generally deleted after the print job is completed or upon system cleanup.

If the files are not present, it may be possible to use file carving techniques on a disk image to retrieve .SPL and .SHD files. Content and metadata analysis can be conducted to identify timestamps, document names, and user names.

Sections

ID Name Description
PR013Testing Ability to Print

A subject attempts to print a document from a system to identify if this capability is permitted, restricted, or not possible.

ME014Printing

A subject has the ability to print documents and other files.

IF006Unauthorized Printing of Documents

A subject exfiltrates information by printing it to paper or other physical medium.

IF006.001Printing of Documents with Personal Printer

A subject prints a document using a printer they own, physically exfiltrating the information.

IF006.002Printing of Documents with Work Printer

A subject prints a document using a printer owned by the organization, with the intent to physically exfiltrate the information.

ME014.001External Printing

A subject has the ability to print documents and other files with a printer outside of the organisation’s control.

IF002.005Exfiltration via Physical Documents

A subject tansports physical documents outside of the control of the organization.