Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Sensitive File Dump Via Print.EXE

Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ayush Anand (Securityinbits)Created Tue Apr 282fcda7e2-8c57-4904-86ac-37fc3157e09dwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\print.exe'
        - OriginalFileName: 'Print.EXE'
    selection_cli:
        CommandLine|contains|windash: '/D'
        CommandLine|contains:
            - '\config\SAM'
            - '\config\SECURITY'
            - '\config\SYSTEM'
            - '\windows\ntds\ntds.dit'
    condition: all of selection_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
microsoft.com
2
Resolving title…
huntress.com
3
Resolving title…
lolbas-project.github.io
Testing & Validation

Regression Tests

by Ayush Anand (Securityinbits)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
2fcda7e2-8c57-4904-86ac-37fc3157e09d
Status
test
Level
high
Type
Detection
Created
Tue Apr 28
Author
Ayush Anand (Securityinbits)
Path
rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files.yml
Raw Tags
attack.credential-accessattack.t1003.003attack.t1003.002attack.defense-evasionattack.t1218
View on GitHub