Skip to content

Added new rule to detect suspicious file dump using print.exe#5881

Open
Securityinbits wants to merge 5 commits intoSigmaHQ:masterfrom
Securityinbits:new-rule-detect-print-exe
Open

Added new rule to detect suspicious file dump using print.exe#5881
Securityinbits wants to merge 5 commits intoSigmaHQ:masterfrom
Securityinbits:new-rule-detect-print-exe

Conversation

@Securityinbits
Copy link

@Securityinbits Securityinbits commented Feb 23, 2026

Summary of the Pull Request

Added new rule Suspicious File Dump Via Print.EXE related to recent Solarwinds WHD active exploitation and observed in huntress blog

Changelog

new: Suspicious File Dump Via Print.EXE

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

Used VS Code sigma plugin to write this new sigma rule

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Feb 23, 2026
swachchhanda000
swachchhanda000 requested changes Feb 24, 2026
View reviewed changes
@swachchhanda000
Copy link
Collaborator

swachchhanda000 commented Feb 24, 2026

Hi @Securityinbits,

Thanks for the PR.

The logic looks okay, i have only suggested some metadata changes. Please apply the changes while also fixing the failing pipeline. And if you don't know it already we recently introduced regression testing for our detection rules, and we rely on EVTX files to validate that rules correctly trigger on expected events. Thus, it would also be nice if you could provide us the EVTX file as well.

@swachchhanda000 swachchhanda000 added Author Input Required changes the require information from original author of the rules Additional Data Needed labels Feb 24, 2026
@Securityinbits @swachchhanda000
Apply suggestions from code review
ff12eab 
Thank you for reviewing and  suggestion.

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
@Securityinbits
Copy link
Author

Securityinbits commented Feb 24, 2026
edited
Loading

Thank you @swachchhanda000 for the review and suggestions.

I was not aware of the EVTX file requirement. I will generate the Sysmon EVTX file and upload it here.

@Securityinbits
Copy link
Author

Securityinbits commented Feb 28, 2026

@swachchhanda000 added Regression data with evtx , json and info.yml.

Please check and let me know if anything else needed.

@swachchhanda000 swachchhanda000 removed Author Input Required changes the require information from original author of the rules Additional Data Needed labels Mar 3, 2026
@swachchhanda000 swachchhanda000 added this to the Sigma-March-Release milestone Mar 3, 2026
frack113
frack113 approved these changes Mar 3, 2026
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
There shouldn't be any false positives that still use print.exe, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frack113 frack113 frack113 approved these changes

@swachchhanda000 swachchhanda000 swachchhanda000 approved these changes

@nasbench nasbench Awaiting requested review from nasbench

@phantinuss phantinuss Awaiting requested review from phantinuss

Assignees

No one assigned

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

Sigma-March-Release

Development

Successfully merging this pull request may close these issues.

3 participants

@Securityinbits @swachchhanda000 @frack113