OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

Enumeration via Anonymous or Guest SMB Access

Endpoint Security Validation
Detection Rule Validation

概要

Detect Anonymous & Guest access into SMB Servers

This scenario simulates a reconnaissance activity aimed at identifying SMB (Server Message Block) servers that allow anonymous or guest-level access without authentication. Such misconfigurations are commonly exploited by attackers during the early stages of a compromise, allowing them to enumerate shares, access sensitive data, or prepare for privilege escalation—all without valid credentials.

The scenario tests whether SMB services on the target hosts are accessible using the special "anonymous" or "guest" accounts. It does this by initiating SMB session setups without providing valid credentials and analyzing the server’s response. If the server grants access or returns share or system information, it indicates a potential misconfiguration or policy weakness that may expose the organization to data leaks or unauthorized access. Anonymous access typically occurs when servers are configured to allow null sessions, while guest access often results from overly permissive access control lists (ACLs) or legacy compatibility settings. Both are considered insecure by modern standards and should be carefully audited and remediated.

Objective:

  • Detect SMB servers that permit unauthenticated access via anonymous or guest accounts.
  • Assess risks posed by default or legacy configurations in file sharing services.
  • Provide actionable insights to harden SMB server configurations against unauthorized access.

Use Case:

  • Internal security audits and compliance verification.
  • Purple team exercises to simulate attacker behavior.
  • Enhancing detection capabilities in SIEM or EDR solutions.
  • Identifying legacy or misconfigured Windows or Samba servers.

Tactics & Techniques:

  • Tactic: Initial Access / Discovery (MITRE ATT&CK: TA0001 / TA0007)
  • Technique: Valid Accounts - [T1078]
  • Sub-technique: Exploitation of Default or Guest Accounts

Impact:

This scenario does not exploit any vulnerabilities or attempt privilege escalation. However, it mimics attacker behavior that can expose sensitive resources without authentication. It can generate SMB connection attempts and access logs that may be useful for validating detection mechanisms.

Detection Tips:

Security teams should monitor SMB session setups that occur without authentication or use the "guest" account. Indicators may include:

  • Event ID 4624 with Logon Type 3 and special login accounts.
  • SMB access logs with null credentials or guest tokens.
  • Network traffic from unexpected sources initiating unauthenticated SMB sessions.

SIEM rules can be tuned to alert on such access attempts, especially if they originate from non-authorized IP ranges or involve sensitive file shares.

Recommended Mitigations:

  • Disable guest access and anonymous logons via Group Policy.
  • Restrict share permissions to authenticated and authorized users only.
  • Regularly audit SMB server configurations and access controls.
  • Disable legacy SMB protocols (e.g., SMBv1) where not needed.

基本情報

Filigran
Sébastien Miguel
2026年7月01日
1.17.0
200+
90+

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。