Detectionmediumtest
DCERPC SMB Spoolss Named Pipe
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
OTR (Open Threat Research)Created Wed Nov 28Updated Thu Aug 11214e8f95-100a-4e04-bb31-ef6cba8ce07ewindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: spoolss
condition: selectionFalse Positives
Domain Controllers acting as printer servers too? :)
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
214e8f95-100a-4e04-bb31-ef6cba8ce07e
Status
test
Level
medium
Type
Detection
Created
Wed Nov 28
Modified
Thu Aug 11
Path
rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml
Raw Tags
attack.lateral-movementattack.t1021.002