Hello - Hoping someone here can point me in a good direction.
We've been receiving alerts from our SIEM for unexpected SMB traffic, which is quite simply a search that looks for port 445 traffic on the network to hosts other than expected servers (file server, ad, etc).
The past few days we've had quite a few hosts with SMB traffic between them, however, looking at PCAPs it ultimately results in "No Data Sent" most of the time, or a few that have some NTLM data, but the NTLM is only being detected between Macs to PCs.
We do have Sysmon data from a few of the hosts, specifically the servers, which only show an AV process running around that time, but doesn't appear to be using 445. I did call the vendor and they've confirmed that it should NOT be using 445 so they don't think it's their product.
What's weird is we did see a file server...