DCERPC SMB Spoolss Named Pipe

calendar Oct 25, 2022 · attack.lateral_movement attack.t1021.002  ·
Share on: linkedin copy

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Sigma rule (View on GitHub)

 1title: DCERPC SMB Spoolss Named Pipe
 2id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
 3status: test
 4description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
 5references:
 6    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
 7    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
 8    - https://twitter.com/_dirkjan/status/1309214379003588608
 9author: OTR (Open Threat Research)
10date: 2018/11/28
11modified: 2022/08/11
12tags:
13    - attack.lateral_movement
14    - attack.t1021.002
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 5145
21        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
22        RelativeTargetName: spoolss
23    condition: selection
24falsepositives:
25    - 'Domain Controllers acting as printer servers too? :)'
26level: medium

References

  • Hunting in Active Directory: Unconstrained Delegation & Forests Trusts

    During DerbyCon 2018 this past October, my teammates @tifkin_, @enigma0x3 and @harmj0y gave an awesome presentation titled “The Unintended…


    Read More

  • A different way of abusing Zerologon (CVE-2020-1472)

    In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most straightforward way to exploit this involves changing the password of a Domain Controller computer account. This is a risky move and could potentially break things in the environment. In this blog we explore a new way to exploit this vulnerability, which though it has a few more prerequisites, is safer to use for security professionals assessing network security. We’ll also dive a bit more into the authentication protocols in Active Directory and how they can be tied in with the Zerologon vulnerability. While this is a different way of exploiting the vulnerability, it does not bypass the mitigations released, so if you have already installed the August 2020 patches, you are also protected from this attack.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top