EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Rejected SMB Guest Logon From IP

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

MITRE ATT&CK

T1110.001
credential-access

Detection Query

selection:
  EventID: 31017
  UserName: ""
  ServerName|startswith: \1
condition: selection

Author

Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w

Created

2021-06-30

Data Sources

windowssmbclient-security

Platforms

windows

References

Tags

attack.credential-accessattack.t1110.001
Raw Content
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
status: test
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
references:
    - https://twitter.com/KevTheHermit/status/1410203844064301056
    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w
date: 2021-06-30
modified: 2023-01-02
tags:
    - attack.credential-access
    - attack.t1110.001
logsource:
    product: windows
    service: smbclient-security
detection:
    selection:
        EventID: 31017
        UserName: ''
        ServerName|startswith: '\1'
    condition: selection
falsepositives:
    - Account fallback reasons (after failed login with specific account)
level: medium