SMB Spoolss Name Piped Usage

calendar Oct 9, 2022 · attack.lateral_movement attack.t1021.002  ·
Share on: linkedin copy

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Sigma rule (View on GitHub)

 1title: SMB Spoolss Name Piped Usage
 2id: bae2865c-5565-470d-b505-9496c87d0c30
 3status: test
 4description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
 5references:
 6    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
 7    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
 8    - https://twitter.com/_dirkjan/status/1309214379003588608
 9author: OTR (Open Threat Research), @neu5ron
10date: 2018/11/28
11modified: 2022/10/09
12tags:
13    - attack.lateral_movement
14    - attack.t1021.002
15logsource:
16    product: zeek
17    service: smb_files
18detection:
19    selection:
20        path|endswith: 'IPC$'
21        name: spoolss
22    condition: selection
23falsepositives:
24    - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
25level: medium

References

  • Hunting in Active Directory: Unconstrained Delegation & Forests Trusts

    During DerbyCon 2018 this past October, my teammates @tifkin_, @enigma0x3 and @harmj0y gave an awesome presentation titled “The Unintended…


    Read More

  • A different way of abusing Zerologon (CVE-2020-1472)

    In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most straightforward way to exploit this involves changing the password of a Domain Controller computer account. This is a risky move and could potentially break things in the environment. In this blog we explore a new way to exploit this vulnerability, which though it has a few more prerequisites, is safer to use for security professionals assessing network security. We’ll also dive a bit more into the authentication protocols in Active Directory and how they can be tied in with the Zerologon vulnerability. While this is a different way of exploiting the vulnerability, it does not bypass the mitigations released, so if you have already installed the August 2020 patches, you are also protected from this attack.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top