This detection rule identifies instances of SMB (Server Message Block) connections to shared resources that lack signing or encryption. This state is particularly concerning as it may facilitate lateral movement within a network by allowing sensitive data to be transmitted insecurely, thereby increasing the risk of unauthorized access or data breaches. The primary indicators for triggering this rule include Event ID 4000, which relates to SMB server connections, specifically monitoring connections to shares such as IPC$, ADMIN$, and C$. The rule also evaluates the use of signing and encryption, flagging connections where both are disabled. Additionally, a filter is applied to exclude common local and private IP address ranges (e.g., 127.0.0.1, 169.254.0.0/16), which helps to mitigate false positives from legitimate internal communications.