Skip to content

Hide Navigation Hide TOC

SMB Spoolss Name Piped Usage (bae2865c-5565-470d-b505-9496c87d0c30)

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Cluster A Galaxy A Cluster B Galaxy B Level
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern SMB Spoolss Name Piped Usage (bae2865c-5565-470d-b505-9496c87d0c30) Sigma-Rules 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2