SMB Spoolss Name Piped Usage
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
Sigma rule (View on GitHub)
1title: SMB Spoolss Name Piped Usage
2id: bae2865c-5565-470d-b505-9496c87d0c30
3status: test
4description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
5references:
6 - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
7 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
8 - https://twitter.com/_dirkjan/status/1309214379003588608
9author: OTR (Open Threat Research), @neu5ron
10date: 2018-11-28
11modified: 2022-10-09
12tags:
13 - attack.lateral-movement
14 - attack.t1021.002
15logsource:
16 product: zeek
17 service: smb_files
18detection:
19 selection:
20 path|endswith: 'IPC$'
21 name: spoolss
22 condition: selection
23falsepositives:
24 - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
25level: medium
References
-
During DerbyCon 2018 this past October, my teammates @tifkin_, @enigma0x3 and @harmj0y gave an awesome presentation titled “The Unintended…
Read More -
In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most straightforward way to exploit this involves changing the password of a Domain Controller computer account. This is a risky move and could potentially break things in the environment. In this blog we explore a new way to exploit this vulnerability, which though it has a few more prerequisites, is safer to use for security professionals assessing network security. We’ll also dive a bit more into the authentication protocols in Active Directory and how they can be tied in with the Zerologon vulnerability. While this is a different way of exploiting the vulnerability, it does not bypass the mitigations released, so if you have already installed the August 2020 patches, you are also protected from this attack.
Read More
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe