PrintBrm ZIP Creation of Extraction

About the rule

Rule Type

Standard

Rule Description

This detection identifies the use of PrintBrm.exe (Printer Backup and Restore tool) to create or extract .ZIP files. While PrintBrm.exe is a legitimate Windows utility for backing up and restoring printer settings, adversaries can abuse it to extract malicious ZIP archives or create backups containing payloads, bypassing traditional security controls. This technique can also be used for data exfiltration or staging malware for lateral movement within the network.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → Collection → Exfiltration

Impact

• Data exfiltration
• Evasion
• Initial access / Discovery
• Execution of malicious payloads

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Ingress Tool Transfer (T1105)
Defense Evasion: Hide Artifacts - NTFS File Attributes (T1564.004)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
PR.PS-01: Configuration management practices are established and applied.

When this rule is triggered, you're notified of ZIP file creation or extraction activity using PrintBrm.exe—a legitimate Windows utility that can be abused for data staging or evasion.

Author

frack113

Future actions

Known False Positives

Legitimate system administrators or backup tools may invoke PrintBrm.exe for creating or restoring printer configurations, especially in environments where printer migration or policy-driven device management is common.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the creation or extraction of .zip files via PrintBrm.exe. Check if this activity was initiated by an authorized administrator.
• Analysis: Use EDR tools to trace the process tree—verify the parent process of PrintBrm.exe and look for accompanying commands or dropped files.
• Response: Isolate the endpoint, remove any extracted or dropped payloads, and initiate a full malware scan.
• Restrict PrintBrm.exe usage: Limit access to PrintBrm.exe to authorized administrators only. Use application control tools to restrict execution to known-safe contexts.

Mitigation