Sensitive File Dump Via Print.EXE

Original Source: [Sigma source]
Title: Sensitive File Dump Via Print.EXE
Status: test
Description:Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
References:
  -https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
   -https://www.huntress.com/blog/credential-theft-expanding-your-reach-pt-2
   -https://lolbas-project.github.io/lolbas/Binaries/Print/
 Author: Ayush Anand (Securityinbits)
Date: 2026-04-28
modified:None
Tags:
  • -'attack.credential-access'
  • -'attack.t1003.003'
  • -'attack.t1003.002'
  • -'attack.defense-evasion'
  • -'attack.t1218'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection_img:
Image|endswith:'\print.exe' OriginalFileName:'Print.EXE'   selection_cli:
    CommandLine|contains|windash: '/D'
    CommandLine|contains:
      -'\config\SAM'
      -'\config\SECURITY'
      -'\config\SYSTEM'
      -'\windows\ntds\ntds.dit'

  condition:all of selection_*
Falsepositives:
  -Unlikely
Level: high

© 2024 DetectionCode Website. All Rights Reserved.