Jump to content

SMB2 Polling for DLLs and Exes that dont exist on SYSVOL share


Recommended Posts

I have created a test domain (server 2016). There are SMB ANDX requests being constantly generated from a hidden process and looking for dll's and exe's within an existing or deleted GPO policy folders that never hosted these files in the first place (unless done maliciously somehow).

Procmon and pcap can see these requests, so far I have not detected a hit as such (valid response) but I am sure the files were hidden there somehow and are now not. The thing I do not understand is procmon itself is detecting these requests as it they had come from procmon itself, therefore there is a process that is hidden that procmon cannot monitor that is generating these. As you can see some requests were made from powershell and I am looking into how that process was spawned.

Windows 10 virtualises some parts of security such as defender, I dont think third party scanners have full access to Microsofts hidden virtualisation area so exploits in this area go unnoticed.

If anyone could shed any light that would be great!




Link to post
Share on other sites

  • Root Admin

Hello @rmurphy and :welcome:

We could scan your server for an infection but that is very unlikely if you just set it up.  This looks to be a lot more on the philosophical discussions of how Microsoft creates and manages the operations of Windows. I'm sorry but monitoring, reviewing, and discussions of intercommunications of the operating system are not related to malware detection and removal which is the main purpose of the forums.

If you like we can run scans to try to locate malware. For discussions of the interworkings of Windows, you may wish to contact one of the Microsoft support channels or a forum that specializes in the inner workings of Windows.

Here is a link to the Sysinternals forum on Microsoft Technet where you could research, and/or ask more specific questions concerning Windows.

Thank you




Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.