From ea6d60c58f82cf1244de4e0d90fa4d47ca954f60 Mon Sep 17 00:00:00 2001
From: Furkan CALISKAN <caliskanfurkan@gmail.com>
Date: Mon, 5 Oct 2020 23:26:57 +0300
Subject: [PATCH] Added print lolbin

---
 .../process_creation/win_susp_print.yml       | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_print.yml

diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml
new file mode 100644
index 000000000..c15c0c434
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_print.yml
@@ -0,0 +1,28 @@
+title: Abusing Print Executable
+id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
+description: Attackers can use print.exe for remote file copy                   
+author: 'Furkan CALISKAN, @caliskanfurkan_, OSCD Community'
+status: experimental
+date: 10/05/2020
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
+    - https://twitter.com/Oddvarmoe/status/985518877076541440
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image|endswith:
+            - \print.exe
+        CommandLine|contains:
+            - .exe
+    selection2:
+        CommandLine|contains:
+            - /D
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: medium