{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-dumping/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-dumping","credential-access","windows","print.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the \u003ccode\u003ePrint.exe\u003c/code\u003e utility, a legitimate Windows command-line tool, to dump sensitive operating system files for credential harvesting. This technique involves using \u003ccode\u003ePrint.exe\u003c/code\u003e to copy files like \u003ccode\u003entds.dit\u003c/code\u003e, \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, and \u003ccode\u003eSYSTEM\u003c/code\u003e from their protected Windows directories. These files contain sensitive credential data that can be extracted offline. This activity was observed in relation to the SolarWinds Web Help Desk exploitation in early 2026. Abuse of \u003ccode\u003ePrint.exe\u003c/code\u003e allows attackers to bypass traditional security measures that focus on blocking known malicious executables. This poses a significant risk because the extracted credentials can be used for lateral movement, privilege escalation, and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system, potentially through exploitation of a vulnerability in a web application or via compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eprint.exe\u003c/code\u003e with command-line arguments specifying the source file to copy (e.g., \u003ccode\u003e\\config\\SAM\u003c/code\u003e, \u003ccode\u003e\\windows\\ntds\\ntds.dit\u003c/code\u003e) and the destination path. The \u003ccode\u003e/D\u003c/code\u003e flag is used to designate the destination printer or file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePrint.exe\u003c/code\u003e copies the targeted sensitive file (e.g., NTDS.DIT, SAM, SECURITY, SYSTEM) from its protected location.\u003c/li\u003e\n\u003cli\u003eThe copied file is typically saved to a location accessible to the attacker, either locally or on a network share.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential harvesting tools (e.g., \u003ccode\u003esecretsdump.py\u003c/code\u003e from Impacket) to extract user credentials (hashes) from the dumped files.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them directly for pass-the-hash attacks.\u003c/li\u003e\n\u003cli\u003eUsing the harvested credentials, the attacker moves laterally to other systems within the network, escalating privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, deployment of ransomware, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal domain or local account credentials. These stolen credentials enable unauthorized access to sensitive resources, including critical systems and data. The impact can range from data breaches and financial loss to complete compromise of the affected organization\u0026rsquo;s network. While the scale of past attacks is not stated in the source, similar credential dumping attacks have led to breaches affecting millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSensitive File Dump Via Print.EXE\u003c/code\u003e to detect abuse of \u003ccode\u003ePrint.exe\u003c/code\u003e for copying sensitive files (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eprint.exe\u003c/code\u003e with command-line parameters that include sensitive file paths such as \u003ccode\u003e\\config\\SAM\u003c/code\u003e, \u003ccode\u003e\\config\\SECURITY\u003c/code\u003e, \u003ccode\u003e\\config\\SYSTEM\u003c/code\u003e, or \u003ccode\u003e\\windows\\ntds\\ntds.dit\u003c/code\u003e (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict access to sensitive files like \u003ccode\u003entds.dit\u003c/code\u003e, \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, and \u003ccode\u003eSYSTEM\u003c/code\u003e to only authorized accounts and processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eprint.exe\u003c/code\u003e copying files from the \u003ccode\u003e\\config\u003c/code\u003e or \u003ccode\u003e\\windows\\ntds\u003c/code\u003e directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-print-exe-credential-dump/","summary":"Attackers are abusing the legitimate Windows Print.exe utility to copy sensitive files like NTDS.DIT and SAM in order to extract credentials, enabling local or remote credential access.","title":"Print.exe Used to Dump Sensitive Files for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-print-exe-credential-dump/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Dumping","version":"https://jsonfeed.org/version/1.1"}