Smb Remote Enumeration Via Samr And Srvsvc

Composite behavior identifying authenticated SMB interaction where a client accesses the IPC$ share, performs root directory reads, binds to the SAMR RPC interface, and interacts with the SRVSVC service pipe. This sequence is consistent with remote host and account enumeration activity over SMB, typically used to gather domain, user, and share information prior to lateral movement or privilege escalation attempts.

Observed IPs

177

Avg Confidence

94%

Severity

medium

Top IPs by event countSMB

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
35.216.144.195	100%	5,421	2,534	🇨🇭 CH	AS15169	2026-04-06
35.216.195.77	100%	5,139	2,038	🇨🇭 CH	AS15169	2026-04-11
35.216.189.16	100%	3,977	1,707	🇨🇭 CH	AS15169	2026-04-09
35.216.172.131	100%	3,165	1,234	🇨🇭 CH	AS15169	2026-04-10
35.216.201.9	100%	2,692	1,257	🇨🇭 CH	AS15169	2026-04-13
34.22.151.18	100%	2,129	340	🇧🇪 BE	AS396982	2026-02-25
35.195.168.139	99%	1,781	510	🇧🇪 BE	AS396982	2026-02-25
118.193.47.212	100%	1,772	613	🇭🇰 HK	AS135377	2026-04-16
34.52.219.24	100%	1,761	561	🇧🇪 BE	AS396982	2026-04-18
35.187.31.145	99%	1,748	479	🇧🇪 BE	AS396982	2026-02-27
35.216.183.140	100%	1,746	472	🇨🇭 CH	AS15169	2026-04-13
35.233.96.173	97%	1,745	404	🇧🇪 BE	AS396982	2026-02-25
34.76.200.20	98%	1,715	263	🇧🇪 BE	AS396982	2026-02-26
34.76.139.101	100%	1,646	389	🇧🇪 BE	AS396982	2026-02-22
34.77.70.250	97%	1,463	416	🇧🇪 BE	AS396982	2026-02-24
118.194.249.72	100%	1,417	764	🇰🇷 KR	AS135377	2026-04-17
107.150.117.219	97%	1,392	579	🇩🇪 DE	AS135377	2026-04-17
34.14.103.46	100%	1,352	467	🇧🇪 BE	AS396982	2026-02-27
165.154.179.204	98%	1,351	560	🇷🇺 RU	AS135377	2026-04-16
34.140.188.44	99%	1,314	339	🇧🇪 BE	AS396982	2026-03-08