Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sagie Dulce, Dekel PazCreated Sat Jan 01bc3a4b0c-e167-48e1-aa88-b3020950e560application
Log Source
rpc_firewallapplication
Productrpc_firewall← raw: rpc_firewall
Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - 12345678-1234-abcd-ef00-0123456789ab
            - 76f03f96-cdfd-44fc-a22c-64950a001209
            - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
            - ae33069b-a2a8-46ee-a235-ddfd339be281
    condition: selection
False Positives

Actual printing

References
1
Resolving title…
msrc.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
learn.microsoft.com
4
Resolving title…
github.com
5
Resolving title…
github.com
6
Resolving title…
zeronetworks.com
MITRE ATT&CK
Rule Metadata
Rule ID
bc3a4b0c-e167-48e1-aa88-b3020950e560
Status
test
Level
high
Type
Detection
Created
Sat Jan 01
Author
Sagie Dulce, Dekel Paz
Path
rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml
Raw Tags
attack.lateral-movement
View on GitHub