diff --git a/yml/OSBinaries/Ntprint.yml b/yml/OSBinaries/Ntprint.yml
new file mode 100644
index 00000000..4aa83085
--- /dev/null
+++ b/yml/OSBinaries/Ntprint.yml
@@ -0,0 +1,27 @@
+---
+Name: ntprint.exe
+Description: Is a legitimate Windows system binary that is part of the Windows printing / Point-and-Print driver installation workflow.
+Author: SanSan
+Created: 2026-03-06
+Commands:
+  - Command: ntprint.exe PSetupElevatedLegacyPrintDriverInstallW {}
+    Description: Copy the binary ntprint.exe from C:\Windows\System32\ to another path (e.g C:\Users\user\AppData\) along with the custom ntprint.dll.
+    Usecase: Execute dll file leverage DLL Search Order Hijacking technique.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1574.001
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
+Full_Path:
+  - Path: C:\Windows\System32\ntprint.exe
+  - Path: C:\Windows\SysWOW64\ntprint.exe
+Detection:
+  - Sigma: https://github.com/sansan-monkey/hunting-rules/blob/04210f96c12b64cf08e9a704350d68571cdc169e/DefenseEvasion/T1574.001%20NTprint%20dll%20search%20order%20hijacking
+  - IOC: Unsigned DLL load via certoc.exe
+  - IOC: ntprint.exe running from a different location than the legitimate C:\Windows\System32\ or C:\Windows\SysWOW64\ directories
+Resources:
+  - Link: https://www.hexacorn.com/blog/2025/10/06/ntprint-exe-lolbin/
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'