PRT-SMB-REL-CREDCredential Access

MFP Scan-to-SMB Coerce

Point the printer's scan-to-SMB at an attacker host — NetNTLM credentials of the configured scan account hit the attacker, ready to relay.

§ Where this technique fits

PRT-SMB-REL-CRED is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 6 on average.

§ Dossiers chaining this technique

PJL / PostScript → printer root → quiet network foothold
PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant.
step 6 / 6

§ Where this technique fits

§ Dossiers chaining this technique

PJL / PostScript → printer root → quiet network foothold