Remote Printing Abuse for Lateral Movement

 1title: Remote Printing Abuse for Lateral Movement
 2id: bc3a4b0c-e167-48e1-aa88-b3020950e560
 3status: test
 4description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
 7    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
 8    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
 9    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
10    - https://github.com/zeronetworks/rpcfirewall
11    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
12author: Sagie Dulce, Dekel Paz
13date: 2022-01-01
14tags:
15    - attack.lateral-movement
16logsource:
17    product: rpc_firewall
18    category: application
19    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
20detection:
21    selection:
22        EventLog: RPCFW
23        EventID: 3
24        InterfaceUuid:
25            - 12345678-1234-abcd-ef00-0123456789ab
26            - 76f03f96-cdfd-44fc-a22c-64950a001209
27            - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
28            - ae33069b-a2a8-46ee-a235-ddfd339be281
29    condition: selection
30falsepositives:
31    - Actual printing
32level: high

References

• Security Update Guide - Microsoft Security Response Center

  
  Read More

• [MS-RPRN]: Print System Remote Protocol

  

  Specifies the Print System Remote Protocol, which defines the communication of print job processing and print system

  
  Read More

• [MS-PAN]: Print System Asynchronous Notification Protocol

  

  Specifies the [MS-PAN]: Print System Asynchronous Notification Protocol, an asynchronous protocol that clients use to

  
  Read More

• MSRPC-to-ATTACK/documents/MS-RPRN-PAR.md at ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3 · jonny-jhnson/MSRPC-to-ATTACK

  

  A repository that maps commonly used attacks using MSRPC protocols to ATT&CK - jonny-jhnson/MSRPC-to-ATTACK

  
  Read More

• GitHub - zeronetworks/rpcfirewall

  

  Contribute to zeronetworks/rpcfirewall development by creating an account on GitHub.

  
  Read More

• Stopping Lateral Movement via the RPC Firewall - Sagie Dulce

  

  RPC Firewall is a free & open source tool, which detects and protects against RPC based attacks used by ransomware for lateral movement and other attacks

  
  Read More

Related rules

• Mstsc.EXE Execution From Uncommon Parent
• Possible Exploitation of Exchange RCE CVE-2021-42321
• Publicly Accessible RDP Service
• Remote Encrypting File System Abuse
• Remote File Copy