LOLBAS/yml/OSBinaries/printui.yml

---
Name: printui.exe
Description: Malicious dll file load to memory via printui.exe
Author: 'Yasin Gökhan TAŞKIN'
Created: 2025-01-12
Commands:
  - Command: start "%SystemDrive%"\Windows\System32\printui.exe
    Description: Detects potential DLL sideloading of "printui.dll". While using legit "printui.exe" it can be abused to attach to an arbitrary process and force load DLL named "printui.dll" from the current directory of execution.
    Usecase: Execute dll file
    Category: Execute
    Privileges: User
    MitreID: T1574.002
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    Tags:
      - Execute: DLL
Full_Path:
  - Path: C:\Windows\System32\printui.exe
Detection:
  - Sigma: https:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
  - IOC: Load malicious DLL image
Resources:
  - Link: https:https://www.linkedin.com/pulse/uncovered-lolbas-yasin-g%C3%B6khan-ta%C5%9Fkin-gnpwf/?trackingId=WvE5YmopTtyh%2FuvEPcpyZQ%3D%3D
Acknowledgement:
  - Person: Yasin Gökhan TAŞKIN
    Handle: '@TaskinYasn'
printui.exe lolbas request 2025-01-12 00:30:56 +01:00			`---`
			`Name: printui.exe`
			`Description: Malicious dll file load to memory via printui.exe`
			`Author: 'Yasin Gökhan TAŞKIN'`
			`Created: 2025-01-12`
			`Commands:`
printui.exe lolbas Requestt 2025-01-12 00:45:15 +01:00			`- Command: start "%SystemDrive%"\Windows\System32\printui.exe`
printui.exe lolbas request 2025-01-12 00:30:56 +01:00			`Description: Detects potential DLL sideloading of "printui.dll". While using legit "printui.exe" it can be abused to attach to an arbitrary process and force load DLL named "printui.dll" from the current directory of execution.`
			`Usecase: Execute dll file`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1574.002`
			`OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11`
			`Tags:`
			`- Execute: DLL`
			`Full_Path:`
			`- Path: C:\Windows\System32\printui.exe`
			`Detection:`
			`- Sigma: https:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml`
printui.exe lolbas Requestt 2025-01-12 00:45:15 +01:00			`- IOC: Load malicious DLL image`
printui.exe lolbas request 2025-01-12 00:30:56 +01:00			`Resources:`
			`- Link: https:https://www.linkedin.com/pulse/uncovered-lolbas-yasin-g%C3%B6khan-ta%C5%9Fkin-gnpwf/?trackingId=WvE5YmopTtyh%2FuvEPcpyZQ%3D%3D`
			`Acknowledgement:`
			`- Person: Yasin Gökhan TAŞKIN`
			`Handle: '@TaskinYasn'`