RPC (Remote Procedure Call) from the Internet

calendar Sep 19, 2024 · Tactic: Initial Access Domain: Endpoint Use Case: Threat Detection Data Source: PAN-OS  ·
Share on: linkedin copy

This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["network_traffic", "panw"]
 4maturity = "production"
 5updated_date = "2024/09/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by
11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
13backdoor vector.
14"""
15from = "now-9m"
16index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "RPC (Remote Procedure Call) from the Internet"
20references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
21risk_score = 73
22rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
23severity = "high"
24tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
30  network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
31  not source.ip:(
32    10.0.0.0/8 or
33    127.0.0.0/8 or
34    169.254.0.0/16 or
35    172.16.0.0/12 or
36    192.0.0.0/24 or
37    192.0.0.0/29 or
38    192.0.0.8/32 or
39    192.0.0.9/32 or
40    192.0.0.10/32 or
41    192.0.0.170/32 or
42    192.0.0.171/32 or
43    192.0.2.0/24 or
44    192.31.196.0/24 or
45    192.52.193.0/24 or
46    192.168.0.0/16 or
47    192.88.99.0/24 or
48    224.0.0.0/4 or
49    100.64.0.0/10 or
50    192.175.48.0/24 or
51    198.18.0.0/15 or
52    198.51.100.0/24 or
53    203.0.113.0/24 or
54    240.0.0.0/4 or
55    "::1" or
56    "FE80::/10" or
57    "FF00::/8"
58  ) and
59  destination.ip:(
60    10.0.0.0/8 or
61    172.16.0.0/12 or
62    192.168.0.0/16
63  )
64'''
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1190"
71name = "Exploit Public-Facing Application"
72reference = "https://attack.mitre.org/techniques/T1190/"
73
74
75[rule.threat.tactic]
76id = "TA0001"
77name = "Initial Access"
78reference = "https://attack.mitre.org/tactics/TA0001/"

References

  • IANA IPv4 Special-Purpose Address Registry

    0.0.0.0/8 "This network" [RFC791], Section 3.2 1981-09 N/A True False False False True 0.0.0.0/32 "This host on this network" [RFC1122], Section 3.2.1.3 1981-09 N/A True False False False True 10.0...


    Read More

Related rules

to-top