Abusing Print Executable
Attackers can use print.exe for remote file copy
Sigma rule (View on GitHub)
1title: Abusing Print Executable
2id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
3status: test
4description: Attackers can use print.exe for remote file copy
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Print/
7 - https://twitter.com/Oddvarmoe/status/985518877076541440
8author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
9date: 2020/10/05
10modified: 2022/07/07
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\print.exe'
20 CommandLine|startswith: 'print'
21 CommandLine|contains|all:
22 - '/D'
23 - '.exe'
24 filter_print:
25 CommandLine|contains: 'print.exe'
26 condition: selection and not filter_print
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- MpiExec Lolbin
- OpenWith.exe Executes Specified Binary
- Suspicious ZipExec Execution
- Application Whitelisting Bypass via Dnx.exe
- Execution via WorkFolders.exe