From 1819e4b02b6654101f9767880a102c2fbbd492be Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Mon, 23 Aug 2021 14:12:50 -0400 Subject: [PATCH 1/2] improve rule - improve rule logic - match zeek fields for fields section - add false positive information - change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..) --- .../zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index dfa15acb..a8853b8e 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,7 +1,7 @@ -title: First Time Seen Remote Named Pipe - Zeek +title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -author: OTR (Open Threat Research) +author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ @@ -9,15 +9,15 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2018/11/28 +date: 2021/08/23 logsource: product: zeek service: smb_files detection: selection: - path: \\*\IPC$ + path|endswith: IPC$ name: spoolss condition: selection falsepositives: - - 'Domain Controllers acting as printer servers too? :)' -level: medium \ No newline at end of file + - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too +level: medium From 4ee4f12f308f2da69cad4ab135f7ad9a433c86a0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 24 Aug 2021 08:01:01 +0200 Subject: [PATCH 2/2] add modified --- rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index a8853b8e..c4ee427d 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -9,7 +9,8 @@ references: tags: - attack.lateral_movement - attack.t1021.002 -date: 2021/08/23 +date: 2018/11/28 +modified: 2021/08/23 logsource: product: zeek service: smb_files