What starting position does this attack require?

The first step is Drop into printer controller shell (T1059) — a execution primitive. Assumed environment: a Windows-style enterprise network with HP / Lexmark / Xerox MFPs.

What is the final impact of this kill-chain?

The final step lands on Plant implant in firmware / on flash (PRT-WEB-PANEL-RCE), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

PJL / PostScript → printer root → quiet network foothold

PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Execution

Drop into printer controller shell

T1059 · Command and Scripting Interpreter

Discovery

Enumerate printers on port 9100

N-NMAP-INTERNAL · Internal Nmap Sweep

Execution

Run PRET — PJL FSDOWNLOAD / FSUPLOAD

PRT-PJL-PS-RCE · PJL / PostScript Code Execution

Credential Access

Use printer as pivot to coerce internal hosts

PRT-SMB-REL-CRED · MFP Scan-to-SMB Coerce

Collection

Intercept print jobs (scan-to-pdf, copies)

PRT-PRINT-JOB-INTERCEPT · Print Job Interception

Execution

Plant implant in firmware / on flash

PRT-WEB-PANEL-RCE · Printer Web Panel RCE

§ Context

Assumed environment: a Windows-style enterprise network with HP / Lexmark / Xerox MFPs. Printers reachable on 9100/tcp from the internal foothold. No printer-specific monitoring.

§ Steps

01
Drop into printer controller shellExecution
T1059— Command and Scripting Interpreter
02
Enumerate printers on port 9100Discovery
N-NMAP-INTERNAL— Internal Nmap Sweep
03
Run PRET — PJL FSDOWNLOAD / FSUPLOADExecution
PRT-PJL-PS-RCE— PJL / PostScript Code Execution
04
Use printer as pivot to coerce internal hostsCredential Access
PRT-SMB-REL-CRED— MFP Scan-to-SMB Coerce
05
Intercept print jobs (scan-to-pdf, copies)Collection
PRT-PRINT-JOB-INTERCEPT— Print Job Interception
06
Plant implant in firmware / on flashExecution
PRT-WEB-PANEL-RCE— Printer Web Panel RCE

§ References

T1059Command and Scripting Interpreter

§ Frequently asked

What is the "PJL / PostScript → printer root → quiet network foothold" attack path?: PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Drop into printer controller shell (T1059) — a execution primitive. Assumed environment: a Windows-style enterprise network with HP / Lexmark / Xerox MFPs.
What is the final impact of this kill-chain?: The final step lands on Plant implant in firmware / on flash (PRT-WEB-PANEL-RCE), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

PJL / PostScript → printer root → quiet network foothold

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

EternalBlue (MS17-010) → SMBv1 wormable spread

Jenkins /script Groovy console → RCE → AD

PMKID attack → offline crack with no client interaction