mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-10-20 04:15:15 +02:00
printui.exe lolbas Requestt
This commit is contained in:
root
@@ -4,7 +4,7 @@ Description: Malicious dll file load to memory via printui.exe
|
|||||||
Author: 'Yasin Gökhan TAŞKIN'
|
Author: 'Yasin Gökhan TAŞKIN'
|
||||||
Created: 2025-01-12
|
Created: 2025-01-12
|
||||||
Commands:
|
Commands:
|
||||||
- Command: start "%SystemDrive%"\Windows\System32\printui.exe
|
- Command: start "%SystemDrive%"\Windows\System32\printui.exe
|
||||||
Description: Detects potential DLL sideloading of "printui.dll". While using legit "printui.exe" it can be abused to attach to an arbitrary process and force load DLL named "printui.dll" from the current directory of execution.
|
Description: Detects potential DLL sideloading of "printui.dll". While using legit "printui.exe" it can be abused to attach to an arbitrary process and force load DLL named "printui.dll" from the current directory of execution.
|
||||||
Usecase: Execute dll file
|
Usecase: Execute dll file
|
||||||
Category: Execute
|
Category: Execute
|
||||||
@@ -17,7 +17,7 @@ Full_Path:
|
|||||||
- Path: C:\Windows\System32\printui.exe
|
- Path: C:\Windows\System32\printui.exe
|
||||||
Detection:
|
Detection:
|
||||||
- Sigma: https:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
|
- Sigma: https:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
|
||||||
- IOC: Load malicious DLL image
|
- IOC: Load malicious DLL image
|
||||||
Resources:
|
Resources:
|
||||||
- Link: https:https://www.linkedin.com/pulse/uncovered-lolbas-yasin-g%C3%B6khan-ta%C5%9Fkin-gnpwf/?trackingId=WvE5YmopTtyh%2FuvEPcpyZQ%3D%3D
|
- Link: https:https://www.linkedin.com/pulse/uncovered-lolbas-yasin-g%C3%B6khan-ta%C5%9Fkin-gnpwf/?trackingId=WvE5YmopTtyh%2FuvEPcpyZQ%3D%3D
|
||||||
Acknowledgement:
|
Acknowledgement:
|
||||||
|
|||||||
Reference in New Issue
Block a user