Threat Hunting -IPS - Observed Multiple IPS Signatures from Internal IP

Hello,

Issue highlighted by IPS team that they are getting alert in their Palo Alto from Solarwinds source to multiple destination IP's .

Plicy Alert: We have observed multiple IPS signatures "["Microsoft Windows RPC Encrypted Data Detected(33836)","Microsoft Windows Registry Read Attempt(34940)","SCAN: Host Sweep(8002)","Microsoft Windows Registry Enumeration(30840)","Microsoft Windows user enumeration(30842)","SMB: User Password Brute Force Attempt(40004)"]" in Palo Alto from the source IP (X.X.X.X) to multiple destination IP's over port 445 & 135.

Anyone experience the same? Can anyone confirm if this is legitimate traffic?

Thanks,

Alankar

Find more posts tagged with

sam

Accepted answers

All comments

mesverrum

Depending on what you are monitoring in SAM yes there are components that would be using port 445 or 135. I think some of the violations they are calling out like the user enumeration and registry enumerations are likely to be triggered by things like the asset inventory and/or SCM templates.

They'd need to investigate more to be sure that this is what is happening, but none of those things strike me as being 100% unexpected for SW to do as just part of normal monitoring.