Sensitive File Dump Via PrintEXE

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND ( ( PROCESSNAME endswith "\print.exe" OR ORIGINALFILENAME = "Print.EXE" ) AND COMMANDLINE contains "/D" AND COMMANDLINE contains "\config\SAM,\config\SECURITY,\config\SYSTEM,\windows\ntds\ntds.dit" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Active Directory

Author

@Ayush Anand (Securityinbits)