Printui lolbas discover

yml/OSBinaries/printui.yml

@@ -0,0 +1,26 @@
+---
+Name: printui.exe
+Description: Malicious dll file load to memory via printui.exe
+Author: 'Yasin Gökhan TAŞKIN'
+Created: 2025-01-12
+Commands:
+  - Command: start "%SystemDrive%"\Windows\System32\printui.exe
+    Description: Detects potential DLL sideloading of "printui.dll". While using legit "printui.exe" it can be abused to attach to an arbitrary process and force load DLL named "printui.dll" from the current directory of execution.
+    Usecase: Execute dll file
+    Category: Execute
+    Privileges: User
+    MitreID: T1574.002
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
+Full_Path:
+  - Path: C:\Windows\System32\printui.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+  - IOC: Load malicious DLL image
+Resources:
+  - Link: https://www.linkedin.com/pulse/uncovered-lolbas-yasin-g%C3%B6khan-ta%C5%9Fkin-gnpwf/?trackingId=WvE5YmopTtyh%2FuvEPcpyZQ%3D%3D
+  - Link: https://x.com/TaskinYasn/status/1876672639558947213
+Acknowledgement:
+  - Person: Yasin Gökhan TAŞKIN
+    Handle: '@TaskinYasn'