I am facing a strange situation in a Windows domain environment. There are some fileservers initiating connections to PCs. It seems that the servers try to use the SVCCTL (AKA MS-SCMR) protocol to control remotely Windows Services on other hosts.
I can not wrap my head around this behaviour. Why on earth does a fileserver try to connect to PC clients?
This is the traffic I captured:
- The server starts a SMB2 session to the PC.
- The server sends a Tree Connect Request Tree: \pcname.domain.local\IPC$
- The server asks for a couple of Ioctls:
a. Function: FSCTL_VALIDATE_NEGOTIATE_INFO (0x00140204)
b. Function: FSCTL_QUERY_NETWORK_INTERFACE_INFO (0x001401fc)
- The server sends a CREATE Request to create a named pipe svcctl
- The PC replies Create Action: The file existed and was opened (1)
- The server asks for file information: GetInfo Request (0x10) InfoLevel: SMB2_FILE_STANDARD_INFO (0x05)
- The PC replies: a. Delete Pending: This object has DELETE PENDING (1) b. Is Directory: This is NOT a directory (0)
- The server does a remote procedure call: Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind, Fragment: Single, FragLen: 116, Call: 2
- Then, the server starts to talk SVCCTL: This protocol is used to control remotely Windows services. Also known as MS-SCMR (Service Control Manager Remote Protocol)
- The server does a number of queries and the PC replies. The server tries to connect to winmgmt but the server denies access.
- Finally, the server closes the SMB2 session.
Can you give me a hand with this?
Do you know what feature can explain this behaviour?
Regards,
