LoFP / account fallback reasons (after failed login with specific account)

Techniques

• t1110
• t1110.001

Sample rules

Suspicious Rejected SMB Guest Logon From IP

• source: sigma
• technicques:
  • t1110
  • t1110.001

Description

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Detection logic

condition: selection
selection:
  EventID: 31017
  ServerName|startswith: \1
  UserName: ''