SMB2 Polling for DLLs and Exes that dont exist on SYSVOL share

[rmurphy]

I have created a test domain (server 2016). There are SMB ANDX requests being constantly generated from a hidden process and looking for dll's and exe's within an existing or deleted GPO policy folders that never hosted these files in the first place (unless done maliciously somehow).

Procmon and pcap can see these requests, so far I have not detected a hit as such (valid response) but I am sure the files were hidden there somehow and are now not. The thing I do not understand is procmon itself is detecting these requests as it they had come from procmon itself, therefore there is a process that is hidden that procmon cannot monitor that is generating these. As you can see some requests were made from powershell and I am looking into how that process was spawned.

Windows 10 virtualises some parts of security such as defender, I dont think third party scanners have full access to Microsofts hidden virtualisation area so exploits in this area go unnoticed.

If anyone could shed any light that would be great!

[rmurphy]

Oh and I am not getting mixed up with typical logon scripts, The andx requests were for exe's and dll's. Some of the dll's were signed by Microsoft even, some were related to SDKs such as Python!

[AdvancedSetup]

Hello @rmurphy and

We could scan your server for an infection but that is very unlikely if you just set it up.  This looks to be a lot more on the philosophical discussions of how Microsoft creates and manages the operations of Windows. I'm sorry but monitoring, reviewing, and discussions of intercommunications of the operating system are not related to malware detection and removal which is the main purpose of the forums.

If you like we can run scans to try to locate malware. For discussions of the interworkings of Windows, you may wish to contact one of the Microsoft support channels or a forum that specializes in the inner workings of Windows.

Here is a link to the Sysinternals forum on Microsoft Technet where you could research, and/or ask more specific questions concerning Windows.

Thank you

Ron

 

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks