Detectionmediumtest

Suspicious Rejected SMB Guest Logon From IP

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10wCreated Wed Jun 30Updated Mon Jan 0271886b70-d7b4-4dbf-acce-87d2ca135262windows

Log Source

Windowssmbclient-security

ProductWindows← raw: windows

Servicesmbclient-security← raw: smbclient-security

Detection Logic

detection:
    selection:
        EventID: 31017
        UserName: ''
        ServerName|startswith: '\1'
    condition: selection

False Positives

Account fallback reasons (after failed login with specific account)

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

71886b70-d7b4-4dbf-acce-87d2ca135262

Status

test

Level

medium

Type

Detection

Created

Wed Jun 30

Modified

Mon Jan 02

Author

Path

rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml

Raw Tags

attack.credential-accessattack.t1110.001