EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

DCERPC SMB Spoolss Named Pipe

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

MITRE ATT&CK

T1021.002
lateral-movement

Detection Query

selection:
  EventID: 5145
  ShareName: \\\\\*\\IPC$
  RelativeTargetName: spoolss
condition: selection

Author

OTR (Open Threat Research)

Created

2018-11-28

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.lateral-movementattack.t1021.002
Raw Content
title: DCERPC SMB Spoolss Named Pipe
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
    - https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research)
date: 2018-11-28
modified: 2022-08-11
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: spoolss
    condition: selection
falsepositives:
    - 'Domain Controllers acting as printer servers too? :)'
level: medium