Skip to content

Hide Navigation Hide TOC

DCERPC SMB Spoolss Named Pipe (214e8f95-100a-4e04-bb31-ef6cba8ce07e)

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Cluster A Galaxy A Cluster B Galaxy B Level
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern DCERPC SMB Spoolss Named Pipe (214e8f95-100a-4e04-bb31-ef6cba8ce07e) Sigma-Rules 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2