Techniques
Sample rules
Remote Printing Abuse for Lateral Movement
- source: sigma
- technicques:
Description
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid:
- 12345678-1234-abcd-ef00-0123456789ab
- 76f03f96-cdfd-44fc-a22c-64950a001209
- 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
- ae33069b-a2a8-46ee-a235-ddfd339be281