DESCRIPTION LAST UPDATED: 2023-07-04
DEFAULT SECURITY LEVEL: HIGH
This report identifies hosts that have been observed performing SMB Server Message Block scanning activity, including exploitation attempts.
SMB is one of the most common vectors of attacks. This includes brute forcing attacks and exploitation of RCE vulnerabilities.
If you receive a report of SMB scanning (or exploitation attempts) please investigate the scanning IP – it may be compromised.
You can track SMB scanning activities as observed in our honeypots on our Dashboard, by selecting source honeypot and tag smb-scan. For example – https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=honeypot&tag=smb-scan&group_by=geo&style=stacked
Severity levels are described here.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.