Detectionmediumtest

SMB Spoolss Name Piped Usage

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

OTR (Open Threat Research)Created Wed Nov 28Updated Sun Oct 09bae2865c-5565-470d-b505-9496c87d0c30network

Log Source

Zeek (Bro)smb_files

ProductZeek (Bro)← raw: zeek

Servicesmb_files← raw: smb_files

Detection Logic

detection:
    selection:
        path|endswith: 'IPC$'
        name: spoolss
    condition: selection

False Positives

Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Rule Metadata

Rule ID

bae2865c-5565-470d-b505-9496c87d0c30

Status

test

Level

medium

Type

Detection

Created

Wed Nov 28

Modified

Sun Oct 09

Author

OTR (Open Threat Research)

Path

rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml

Raw Tags

attack.lateral-movementattack.t1021.002

View on GitHub