🐾 - 🔔 DCERPC - Bind_ack reply to 🪟 SPOOLSS interface - Possible 🖨 Print Spooler State Discovery 🥷 - T1082 - T1547.012 - Suricata Rule 3300331 (pawpatrules)

🐾 - 🔔 DCERPC - Bind_ack reply to 🪟 SPOOLSS interface - Possible 🖨 Print Spooler State Discovery 🥷 - T1082 - T1547.012

SID: 3300331Rev: 10 views

Sourcepawpatrules

CreatedJuly 28, 2023

UpdatedJuly 28, 2023

Classificationattempted-recon

alert tcp-pkt $HOME_NET 445 -> any any (msg:"🐾 - 🔔 DCERPC - Bind_ack reply to 🪟 SPOOLSS interface - Possible 🖨 Print Spooler State Discovery 🥷 - T1082 - T1547.012"; flow:to_client, stateless; content:"|fe 53 4d 42|"; content:"|05 00 0c 03|"; content:"|5c 70 69 70 65 5c 73 70 6f 6f 6c 73 73 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1082/; reference:url,https://attack.mitre.org/techniques/T1547/012/; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1; reference:url,https://www.pingcastle.com/; metadata:created_at 2023_07_28, updated_at 2023_07_28; sid:3300331; rev:1; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1082/
url	https://attack.mitre.org/techniques/T1547/012/
url	https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
url	https://www.pingcastle.com/

🐾 - 🔔 DCERPC - Bind_ack reply to 🪟 SPOOLSS interface - Possible 🖨 Print Spooler State Discovery 🥷 - T1082 - T1547.012

References

Metadata

Comments (0)