This detection rule identifies suspicious rejected SMB guest logon attempts, specifically aimed at identifying exploitation attempts of the PrintNightmare vulnerability (CVE-2021-1675), which could lead to remote code execution via the Windows Spooler service. The detection is based on monitoring the evoked Event ID 31017 and conditions connected with empty usernames and server names that start with '\1'. Given that this can indicate attempts to bypass authentication via SMB, it's important for detecting unauthorized access attempts that could exploit this vulnerability. The rule's effectiveness is contingent on specifically analyzing Windows SMB client logs and has been shared by the authors on various platforms with references pointing to effective exploits and additional context on this attack vector. This rule serves as a preventive measure against a common lateral movement tactic used by attackers against Windows environments. Care should be taken with false positives, particularly those arising from valid account fallback reasons after failed login attempts.