Smb Authenticated Rpc Service And Account Enumeration

Identifies an SMB session where the IPC$ share is accessed and RPC bindings are established to the SAMR and SRVSVC interfaces via named pipes. The combination of IPC$ access, SAMR RPC binding (Security Account Manager Remote), and SRVSVC pipe interaction indicates authenticated enumeration of user accounts, groups, shares, or service information on a Windows host. This behavior reflects structured post-authentication reconnaissance against Windows systems rather than unauthenticated share scanning.

Observed IPs

146

Avg Confidence

82%

Severity

high

Top IPs by event countSMB

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
46.105.132.55	100%	22,766	2,243	🇫🇷 FR	AS16276	2026-03-02
185.66.88.84	96%	2,296	476	🇺🇦 UA	AS30860	2026-02-14
34.14.103.46	100%	1,352	467	🇧🇪 BE	AS396982	2026-02-27
45.84.107.74	99%	861	113	🇸🇪 SE	AS214503	2026-03-02
45.84.107.76	98%	808	101	🇸🇪 SE	AS214503	2026-03-01
45.84.107.33	90%	642	85	🇸🇪 SE	AS214503	2026-03-02
5.193.25.192	99%	641	641	🇦🇪 AE	AS5384	2026-02-23
45.84.107.172	97%	627	108	🇸🇪 SE	AS214503	2026-03-02
101.36.109.144	94%	602	281	🇭🇰 HK	AS135377	2026-03-02
45.142.154.46	96%	600	319	🇭🇰 HK	AS9465	2026-03-02
152.32.133.191	96%	577	342	🇭🇰 HK	AS135377	2026-03-02
45.84.107.101	95%	573	91	🇸🇪 SE	AS214503	2026-03-02
45.84.107.54	93%	567	76	🇸🇪 SE	AS214503	2026-03-02
101.36.108.184	97%	556	318	🇭🇰 HK	AS135377	2026-03-02
152.32.129.110	92%	497	280	🇭🇰 HK	AS135377	2026-03-02
118.193.39.146	94%	497	283	🇭🇰 HK	AS135377	2026-02-28
101.36.108.178	94%	496	269	🇭🇰 HK	AS135377	2026-02-28
45.142.154.39	96%	489	283	🇭🇰 HK	AS9465	2026-03-02
152.32.135.151	94%	488	301	🇭🇰 HK	AS135377	2026-03-02
45.142.154.104	92%	486	304	🇭🇰 HK	AS9465	2026-03-02

Loading threats