Skip to content

Hide Navigation Hide TOC

Sensitive File Dump Via Print.EXE (2fcda7e2-8c57-4904-86ac-37fc3157e09d)

Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.

Cluster A Galaxy A Cluster B Galaxy B Level
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Sensitive File Dump Via Print.EXE (2fcda7e2-8c57-4904-86ac-37fc3157e09d) Sigma-Rules 1
Sensitive File Dump Via Print.EXE (2fcda7e2-8c57-4904-86ac-37fc3157e09d) Sigma-Rules Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
Sensitive File Dump Via Print.EXE (2fcda7e2-8c57-4904-86ac-37fc3157e09d) Sigma-Rules NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2