We have a strange scenario, hoping the community may be able to help. We recently deployed a service called Microsoft ATA that identifies behavior "out of the norm" for a user, and flags it for follow up in case an account is compromised. It recently start alerting on some few users in seemingly random scenarios, primarily for an immediate CIFS negotiation with all clients on the same subnet. Anecdotally, we've tracked down work performed to a Dell KACE application deployment happening in each instance when this system flags the "suspicious" behavior. We know something we are doing is initiating the behavior and the report is a false positive, but the bosses want to know why.

Anyone know how/if KACE leverages CIFS in a way that the target client would reach otu to other clients on the same subnet in this way when a managed install is deployed? So far we have only seen this trigger specifically on some pilot Windows 10 machines we have in the org.

I've tried to recreate the issue with a packet cap running but have had no success and am missing something. I only end up seeing normal CIFS announcements to one of the nearby workstations every 10 seconds or so in a round robin from the computer browser service, which we would expect. When the event in question happens, it's like an immediate call and response from all nearby devices. (I am very novice with packet cap analysis though so easily could be missing something.)

Anyhow, any help appreciated. I've increased the logging to try to verify with certainty that Kace is going off when the event happens, but it seems pretty clear something in a managed install deployment is triggering the CIFS traffic. Whether it's happening with intent, or as a dependency/byproduct of another action is what I'd like to find out.
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

There are no answers at this time

Answers

Answer this question or Comment on this question for clarity