Sensitive File Dump Via Print.EXE

Rule Info

Name
Sensitive File Dump Via Print.EXE
Author
Ayush Anand (Securityinbits)
Description
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
Reference
https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
Date
2026-04-28 00:00:00
Modified
None
Id
2fcda7e2-8c57-4904-86ac-37fc3157e09d
Tags
attack.credential-access attack.stealth attack.t1003.003 attack.t1003.002 attack.t1218
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2fcda7e2-8c57-4904-86ac-37fc3157e09d

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Ayush Anand
Merge PR #5881 from @Securityinbits - Add `Sensitive File Dump Via Print.EXE`
2026-04-28
66f7ac9a4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022