Merge pull request #1906 from neu5ron/patch-5

improve zeek_dce_rpc_smb_spoolss_named_pipe
2024-11-06 17:35:19 +00:00 · 2021-08-24 08:36:18 +02:00 · 2021-08-24 08:36:18 +02:00 · 293f422243
commit 293f422243
parent 81ec546e42 4ee4f12f30
1 changed files with 6 additions and 5 deletions
--- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
+++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
@ -1,7 +1,7 @@
-title: First Time Seen Remote Named Pipe - Zeek
+title: SMB Spoolss Name Piped Usage
 id: bae2865c-5565-470d-b505-9496c87d0c30
 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
-author: OTR (Open Threat Research)
+author: OTR (Open Threat Research), @neu5ron
 references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
@ -10,14 +10,15 @@ tags:
    - attack.lateral_movement
    - attack.t1021.002
 date: 2018/11/28
+modified: 2021/08/23
 logsource:
    product: zeek
    service: smb_files
 detection:
    selection:
-        path: \\*\IPC$
+        path|endswith: IPC$
        name: spoolss
    condition: selection
 falsepositives:
-    - 'Domain Controllers acting as printer servers too? :)'
-level: medium
+    - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
+level: medium