This rule detects abuse of the Print.exe utility to perform credential dumping by copying sensitive Windows security databases. It targets Windows process_creation events where the process image is Print.EXE and the original file name matches Print.EXE, combined with command line indicators that Print.exe is copying sensitive files from the Windows directory, such as ntds.dit (Active Directory database) or the SECURITY, SAM, or SYSTEM hives. The detection requires both conditions: (1) a Print.exe process, and (2) a command line containing references to dumping the privileged files (e.g., paths like \config\SAM, \config\SECURITY, \config\SYSTEM, or \windows\ntds\ntds.dit). This pattern aligns with credential-access activity, specifically credential dumping. The rule is marked as high severity and is intended to catch local or remote credential harvesting attempts that abuse Print.exe for exfiltration of sensitive data. It is classed under attack.credential-access and maps to relevant TTPs in the MITRE ATT&CK framework (e.g., NTDS and SAM-related credential dumping). False positives are deemed unlikely, given the unlikely legitimate use of Print.exe to dump these files, though legitimate admin tasks should still be considered in contextual analyses. The rule complements broader endpoint monitoring by flagging unusual Print.exe usage in conjunction with sensitive file access attempts.