SigmaHQ/rules/windows/builtin/win_susp_failed_guest_logon.yml

title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
description: 
author: Florian Roth, KevTheHermit, fuzzyf10w
status: experimental
level: medium
references:
    - https://twitter.com/KevTheHermit/status/1410203844064301056
    - https://github.com/hhlxf/PrintNightmare
    - https://github.com/afwu/PrintNightmare
date: 2021/06/30
logsource:
    product: windows
    service: smbclient-security
detection:
    selection:
        EventID: 31017
        Description|contains: 'Rejected an insecure guest logon'
        UserName: ''
        ServerName|startswith: '\1'
    condition: selection
fields:
    - Computer
    - User
falsepositives:
    - Account fallback reasons (after failed login with specific account)
rules: CVE-2021-1675 exploitation events 2021-06-30 12:51:20 +00:00			`title: Suspicious Rejected SMB Guest Logon From IP`
			`id: 71886b70-d7b4-4dbf-acce-87d2ca135262`
			`description:`
			`author: Florian Roth, KevTheHermit, fuzzyf10w`
			`status: experimental`
			`level: medium`
			`references:`
			`- https://twitter.com/KevTheHermit/status/1410203844064301056`
			`- https://github.com/hhlxf/PrintNightmare`
			`- https://github.com/afwu/PrintNightmare`
			`date: 2021/06/30`
			`logsource:`
			`product: windows`
			`service: smbclient-security`
			`detection:`
			`selection:`
			`EventID: 31017`
			`Description\|contains: 'Rejected an insecure guest logon'`
			`UserName: ''`
			`ServerName\|startswith: '\1'`
			`condition: selection`
			`fields:`
			`- Computer`
			`- User`
			`falsepositives:`
			`- Account fallback reasons (after failed login with specific account)`