This rule detects attempts to access the spoolss named pipe over SMB (Server Message Block), which can indicate lateral movement within a Windows environment. Utilizing the spoolss named pipe can allow attackers to authenticate to machines via NTLM (NT LAN Manager) if the spool service is enabled. The detection is based on monitoring for Windows Event ID 5145, which logs share access attempts. Notably, the rule targets the IPC$ (Inter-Process Communication) share specifically, filtering for access to the spoolss pipe. This behavior is significant as it can often precede or accompany malicious activity related to privilege escalation or unauthorized access in Active Directory environments. Best practices would entail assessing legitimate use cases of the spool service in your environment, especially on Domain Controllers that may provide legitimate printing services.