We see from time to time an incident popping up with an asset (with agent) which detecting protocol poisoning: netbios from 0.0.0.0 with a random query.
Has anyone any idea how to investigate this and what it exactly means. Help would be appreciated.
Several possibilities for 0.0.0.0:
- “any/all interfaces on the local machine” (e.g. many server apps may bind to 0.0.0.0:)
- device not connected to a network
- DHCP request from a device which hasn’t yet been assigned an IP address
- maybe other things
A few questions which might help you/someone narrow down what’s going on here:
- Is it only this one asset where the issue is detected?
- Does the detection of NetBIOS poisoning coincide with DHCP lease renewal on the asset?
- What makes you describe the request as random? Could you share any further details?
I have also seen this alert fire many times when an endpoint is connected to a non-managed wifi network that has some misconfigurations in it, was always something I asked the customer “is the asset connected to a public wifi, if it is, have them disconnect”