Sensitive File Dump Via PrintEXE
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ( ( PROCESSNAME endswith "\print.exe" OR ORIGINALFILENAME = "Print.EXE" ) AND COMMANDLINE contains "/D" AND COMMANDLINE contains "\config\SAM,\config\SECURITY,\config\SYSTEM,\windows\ntds\ntds.dit" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Active Directory
Author
@Ayush Anand (Securityinbits)


