security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_print.yml
T
Nasreddine Bencherchali 8b9307de30 Update selections
2022-07-07 20:55:19 +01:00

30 lines
818 B
YAML
Raw Blame History

title: Abusing Print Executable
id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
status: test
description: Attackers can use print.exe for remote file copy
author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
references:
- https://lolbas-project.github.io/lolbas/Binaries/Print/
- https://twitter.com/Oddvarmoe/status/985518877076541440
date: 2020/10/05
modified: 2022/07/07
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: \print.exe
CommandLine|startswith: print
CommandLine|contains|all:
- /D
- .exe
filter_print:
CommandLine|contains: print.exe
condition: selection and not filter_print
falsepositives:
- Unknown
level: medium
tags:
- attack.defense_evasion
- attack.t1218
Reference in New Issue View Git Blame Copy Permalink