04-25-2013 01:34 PM
Hello all. I have a PA-5020 operating as our Layer 3 router between all of our VLAN's. For the past month or so the ACC on the Palo shows SMB: User Password Brute-force Attempt (ID:40004) as the #1 entry in Threat Prevention section. The attacker is our Antivirus (Kaspersky) Administration Server on VLAN 199 and the victim is a kiosk PC that isn't on our domain, just our network VLAN 202. There are about 10 other kiosks and they don't get any threats from the AV server. These kiosks are managed by another company and locked down pretty well. I've tried using netstat /oan and keep running it but never see the traffic (maybe the firewall on the kiosk terminates the traffic too quickly for me to see any SYN_WAIT, etc.). I do see a LOT of 445 connections off and on to other devices on our network, just none to that IP address.
I've scanned the server with the latest Kaspersky sigs and no malware is found. I'm stumped as to what this may be, should I start a packet capture and see if that yields any clues?
