Potentially Suspicious Execution of Printui

Rule Info

Name
Potentially Suspicious Execution of Printui
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious execution of printui.exe, running from outside its legitimate path, which is highly unusual. This may indicate attempt for DLL search order hijacking or side-loading.
Reference
https://x.com/malmoeb/status/1894679378505642442
Date
2025-02-27 00:00:00
Modified
None
Id
1e3bef4b-9d52-4872-b063-c1a5d4542bf2
Tags
attack.defense-evasion attack.t1574
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022