From 7bde094ca31ff08aaf4dd4ca8eb0d04da77d9638 Mon Sep 17 00:00:00 2001
From: SanSan-monkey <116366885+sansan-monkey@users.noreply.github.com>
Date: Fri, 6 Mar 2026 00:37:02 -0600
Subject: [PATCH 1/3] Create Ntprint.yml for ntprint.exe binary (New LolBin)

Added details for ntprint.exe including commands, detection methods, and resources.
---
 yml/OSBinaries/Ntprint.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 yml/OSBinaries/Ntprint.yml

diff --git a/yml/OSBinaries/Ntprint.yml b/yml/OSBinaries/Ntprint.yml
new file mode 100644
index 00000000..808273b7
--- /dev/null
+++ b/yml/OSBinaries/Ntprint.yml
@@ -0,0 +1,25 @@
+---
+Name: ntprint.exe
+Description: Is a legitimate Windows system binary that is part of the Windows printing / Point-and-Print driver installation workflow.
+Author: SanSan
+Created: 2026-03-06
+Commands:
+  - Command: ntprint.exe PSetupElevatedLegacyPrintDriverInstallW {}
+    Description: Copy the binary ntprint.exe from C:\Windows\System32\ to another path (e.g C:\Users\user\AppData\) along with the custom ntprint.dll.
+    Usecase: Execute dll file leverage DLL Search Order Hijacking technique.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1574.001
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
+Full_Path:
+  - Path: C:\Windows\System32\ntprint.exe
+  - Path: C:\Windows\SysWOW64\ntprint.exe
+Detection:
+  - Sigma: https://github.com/sansan-monkey/hunting-rules/blob/04210f96c12b64cf08e9a704350d68571cdc169e/DefenseEvasion/T1574.001%20NTprint%20dll%20search%20order%20hijacking
+Resources:
+  - Link: https://www.hexacorn.com/blog/2025/10/06/ntprint-exe-lolbin/
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn.bsky.social'

From e0e95bce524a6fc66b8371ccded279665a253094 Mon Sep 17 00:00:00 2001
From: SanSan-monkey <116366885+sansan-monkey@users.noreply.github.com>
Date: Fri, 6 Mar 2026 08:42:11 -0600
Subject: [PATCH 2/3] Delete yml/OSBinaries/Ntprint.yml

---
 yml/OSBinaries/Ntprint.yml | 25 -------------------------
 1 file changed, 25 deletions(-)
 delete mode 100644 yml/OSBinaries/Ntprint.yml

diff --git a/yml/OSBinaries/Ntprint.yml b/yml/OSBinaries/Ntprint.yml
deleted file mode 100644
index 808273b7..00000000
--- a/yml/OSBinaries/Ntprint.yml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-Name: ntprint.exe
-Description: Is a legitimate Windows system binary that is part of the Windows printing / Point-and-Print driver installation workflow.
-Author: SanSan
-Created: 2026-03-06
-Commands:
-  - Command: ntprint.exe PSetupElevatedLegacyPrintDriverInstallW {}
-    Description: Copy the binary ntprint.exe from C:\Windows\System32\ to another path (e.g C:\Users\user\AppData\) along with the custom ntprint.dll.
-    Usecase: Execute dll file leverage DLL Search Order Hijacking technique.
-    Category: Execute
-    Privileges: Administrator
-    MitreID: T1574.001
-    OperatingSystem: Windows 10, Windows 11
-    Tags:
-      - Execute: DLL
-Full_Path:
-  - Path: C:\Windows\System32\ntprint.exe
-  - Path: C:\Windows\SysWOW64\ntprint.exe
-Detection:
-  - Sigma: https://github.com/sansan-monkey/hunting-rules/blob/04210f96c12b64cf08e9a704350d68571cdc169e/DefenseEvasion/T1574.001%20NTprint%20dll%20search%20order%20hijacking
-Resources:
-  - Link: https://www.hexacorn.com/blog/2025/10/06/ntprint-exe-lolbin/
-Acknowledgement:
-  - Person: Adam
-    Handle: '@hexacorn.bsky.social'

From b30f96d24384e39cb6783875764353916600689c Mon Sep 17 00:00:00 2001
From: SanSan-monkey <116366885+sansan-monkey@users.noreply.github.com>
Date: Fri, 6 Mar 2026 08:54:18 -0600
Subject: [PATCH 3/3] Create Ntprint.yml for ntprint.exe  New LolBin

Added details for ntprint.exe including commands, detection methods, and resources.
---
 yml/OSBinaries/Ntprint.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 yml/OSBinaries/Ntprint.yml

diff --git a/yml/OSBinaries/Ntprint.yml b/yml/OSBinaries/Ntprint.yml
new file mode 100644
index 00000000..4aa83085
--- /dev/null
+++ b/yml/OSBinaries/Ntprint.yml
@@ -0,0 +1,27 @@
+---
+Name: ntprint.exe
+Description: Is a legitimate Windows system binary that is part of the Windows printing / Point-and-Print driver installation workflow.
+Author: SanSan
+Created: 2026-03-06
+Commands:
+  - Command: ntprint.exe PSetupElevatedLegacyPrintDriverInstallW {}
+    Description: Copy the binary ntprint.exe from C:\Windows\System32\ to another path (e.g C:\Users\user\AppData\) along with the custom ntprint.dll.
+    Usecase: Execute dll file leverage DLL Search Order Hijacking technique.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1574.001
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
+Full_Path:
+  - Path: C:\Windows\System32\ntprint.exe
+  - Path: C:\Windows\SysWOW64\ntprint.exe
+Detection:
+  - Sigma: https://github.com/sansan-monkey/hunting-rules/blob/04210f96c12b64cf08e9a704350d68571cdc169e/DefenseEvasion/T1574.001%20NTprint%20dll%20search%20order%20hijacking
+  - IOC: Unsigned DLL load via certoc.exe
+  - IOC: ntprint.exe running from a different location than the legitimate C:\Windows\System32\ or C:\Windows\SysWOW64\ directories
+Resources:
+  - Link: https://www.hexacorn.com/blog/2025/10/06/ntprint-exe-lolbin/
+Acknowledgement:
+  - Person: Adam
+    Handle: '@hexacorn'