I'm a big fan of the Sysinternal suite and I've been able to use TCPView to watch as I simulate the alert with ps:>test-netconnect -port 445 and I can see the powershell.exe process in TCPView and I'm using Process Monitor and I can see it there as well. Nothing in the logs, AV (online and off) shows clear, all available updates are installed, no foreign / unexpected applications installed and nothing weird that I can see. We've got a workstation that randomly tries to establish that SMB connection and I can't, for the life of me, figure out what process on it is doing it.
We have a firewall rule on one of our firewalls that basically alerts anytime that there's an attempted SMB connection from an internal / trusted network to an untrusted network.
0 kommentar(er)
