Abusing Print Executable

 1title: Abusing Print Executable
 2id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
 3status: test
 4description: Attackers can use print.exe for remote file copy
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Print/
 7    - https://twitter.com/Oddvarmoe/status/985518877076541440
 8author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
 9date: 2020-10-05
10modified: 2022-07-07
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\print.exe'
20        CommandLine|startswith: 'print'
21        CommandLine|contains|all:
22            - '/D'
23            - '.exe'
24    filter_print:
25        CommandLine|contains: 'print.exe'
26    condition: selection and not filter_print
27falsepositives:
28    - Unknown
29level: medium

References

• Print on LOLBAS

  

  Print.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• x.com

  
  Read More

Related rules

• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE
• Arbitrary File Download Via MSPUB.EXE