Rules Contributing to DCERPC SMB Spoolss Named Pipe Alert

The following rules detect suspicious SMB traffic accessing Spoolss named pipes. Any one or more of these will trigger the DCERPC SMB Spoolss Named Pipe Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

DCERPC SMB Spoolss Named Pipe

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

More details

Rule ID

network_security_8

Query

{'selection': {'appid_name': 'smb', 'metadata|contains|all': ['IPC$', 'spoolss']}, 'condition': 'selection'}

Log Source

Stellar Cyber Network Events configured for:

Requirements: Network/Security/Modular sensor must be able to capture network traffic

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0008, T1021.002

References

Severity

Suppression Logic Based On

appid_name
srcip
dstip
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2024/07/13	medium	N/A