Remote Printing Abuse for Lateral Movement

 1title: Remote Printing Abuse for Lateral Movement
 2id: bc3a4b0c-e167-48e1-aa88-b3020950e560
 3status: test
 4description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
 7    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
 9    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
10    - https://github.com/zeronetworks/rpcfirewall
11    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
12author: Sagie Dulce, Dekel Paz
13date: 2022-01-01
14modified: 2022-01-01
15tags:
16    - attack.lateral-movement
17logsource:
18    product: rpc_firewall
19    category: application
20    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
21detection:
22    selection:
23        EventLog: RPCFW
24        EventID: 3
25        InterfaceUuid:
26            - 12345678-1234-abcd-ef00-0123456789ab
27            - 76f03f96-cdfd-44fc-a22c-64950a001209
28            - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
29            - ae33069b-a2a8-46ee-a235-ddfd339be281
30    condition: selection
31falsepositives:
32    - Actual printing
33level: high

References

• Security Update Guide - Microsoft Security Response Center

  
  Read More

• [MS-RPRN]: Print System Remote Protocol

  

  Specifies the Print System Remote Protocol, which defines the communication of print job processing and print system

  
  Read More

• [MS-PAN]: Print System Asynchronous Notification Protocol

  

  Specifies the [MS-PAN]: Print System Asynchronous Notification Protocol, an asynchronous protocol that clients use to

  
  Read More

• MSRPC-to-ATTACK/documents/MS-RPRN-PAR.md at ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3 · jsecurity101/MSRPC-to-ATTACK

  

  A repository that maps commonly used attacks using MSRPC protocols to ATT&CK - jsecurity101/MSRPC-to-ATTACK

  
  Read More

• GitHub - zeronetworks/rpcfirewall

  

  Contribute to zeronetworks/rpcfirewall development by creating an account on GitHub.

  
  Read More

• Stopping Lateral Movement via the RPC Firewall - Sagie Dulce

  

  RPC Firewall is a free & open source tool, which detects and protects against RPC based attacks used by ransomware for lateral movement and other attacks

  
  Read More

Related rules

• APT31 Judgement Panda Activity
• AWS Console GetSigninToken Potential Abuse
• AWS STS AssumeRole Misuse
• AWS STS GetSessionToken Misuse
• AWS Suspicious SAML Activity