Remote Printing Abuse for Lateral Movement

Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR

Sigma rule (View on GitHub)

 1title: Remote Printing Abuse for Lateral Movement
 2id: bc3a4b0c-e167-48e1-aa88-b3020950e560
 3status: test
 4description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
 7    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
 9    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
10    - https://github.com/zeronetworks/rpcfirewall
11    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
12author: Sagie Dulce, Dekel Paz
13date: 2022/01/01
14modified: 2022/01/01
15tags:
16    - attack.lateral_movement
17logsource:
18    product: rpc_firewall
19    category: application
20    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
21detection:
22    selection:
23        EventLog: RPCFW
24        EventID: 3
25        InterfaceUuid:
26            - 12345678-1234-abcd-ef00-0123456789ab
27            - 76f03f96-cdfd-44fc-a22c-64950a001209
28            - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
29            - ae33069b-a2a8-46ee-a235-ddfd339be281
30    condition: selection
31falsepositives:
32    - Actual printing
33level: high

References

Related rules

to-top