mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
28 lines
872 B
YAML
28 lines
872 B
YAML
title: Suspicious Rejected SMB Guest Logon From IP
|
|
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
|
|
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
|
|
author: Florian Roth, KevTheHermit, fuzzyf10w
|
|
status: experimental
|
|
level: medium
|
|
references:
|
|
- https://twitter.com/KevTheHermit/status/1410203844064301056
|
|
- https://github.com/hhlxf/PrintNightmare
|
|
- https://github.com/afwu/PrintNightmare
|
|
date: 2021/06/30
|
|
modified: 2021/07/05
|
|
logsource:
|
|
product: windows
|
|
service: smbclient-security
|
|
detection:
|
|
selection:
|
|
EventID: 31017
|
|
Description|contains: 'Rejected an insecure guest logon'
|
|
UserName: ''
|
|
ServerName|startswith: '\1'
|
|
condition: selection
|
|
fields:
|
|
- Computer
|
|
- User
|
|
falsepositives:
|
|
- Account fallback reasons (after failed login with specific account)
|