RPC (Remote Procedure Call) from the Internet

This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by
 11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 13backdoor vector.
 14"""
 15from = "now-9m"
 16index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "RPC (Remote Procedure Call) from the Internet"
 20references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 21risk_score = 73
 22rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 23severity = "high"
 24tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
 25timestamp_override = "event.ingested"
 26type = "query"
 27
 28query = '''
 29(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
 30  network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
 31  not source.ip:(
 32    10.0.0.0/8 or
 33    127.0.0.0/8 or
 34    169.254.0.0/16 or
 35    172.16.0.0/12 or
 36    192.0.0.0/24 or
 37    192.0.0.0/29 or
 38    192.0.0.8/32 or
 39    192.0.0.9/32 or
 40    192.0.0.10/32 or
 41    192.0.0.170/32 or
 42    192.0.0.171/32 or
 43    192.0.2.0/24 or
 44    192.31.196.0/24 or
 45    192.52.193.0/24 or
 46    192.168.0.0/16 or
 47    192.88.99.0/24 or
 48    224.0.0.0/4 or
 49    100.64.0.0/10 or
 50    192.175.48.0/24 or
 51    198.18.0.0/15 or
 52    198.51.100.0/24 or
 53    203.0.113.0/24 or
 54    240.0.0.0/4 or
 55    "::1" or
 56    "FE80::/10" or
 57    "FF00::/8"
 58  ) and
 59  destination.ip:(
 60    10.0.0.0/8 or
 61    172.16.0.0/12 or
 62    192.168.0.0/16
 63  )
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating RPC (Remote Procedure Call) from the Internet
 71
 72RPC enables remote management and resource sharing, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic by monitoring TCP port 135 and filtering out internal IP addresses, flagging potential threats from external sources.
 73
 74### Possible investigation steps
 75
 76- Review the source IP address of the alert to determine if it is from a known malicious actor or if it has been flagged in previous incidents.
 77- Check the destination IP address to confirm it belongs to a critical internal system that should not be exposed to the Internet.
 78- Analyze network traffic logs to identify any unusual patterns or volumes of traffic associated with the source IP, focusing on TCP port 135.
 79- Investigate any related alerts or logs from the same source IP or destination IP to identify potential patterns or repeated attempts.
 80- Assess the potential impact on the affected system by determining if any unauthorized access or changes have occurred.
 81- Consult threat intelligence sources to gather additional context on the source IP or any related indicators of compromise.
 82
 83### False positive analysis
 84
 85- Internal testing or development environments may generate RPC traffic that appears to originate from external sources. To manage this, add the IP addresses of these environments to the exception list in the detection rule.
 86- Legitimate remote management activities by trusted third-party vendors could trigger the rule. Verify the IP addresses of these vendors and include them in the exception list if they are known and authorized.
 87- Misconfigured network devices or proxies might route internal RPC traffic through external IP addresses. Review network configurations to ensure proper routing and add any necessary exceptions for known devices.
 88- Cloud-based services or applications that use RPC for legitimate purposes might be flagged. Identify these services and adjust the rule to exclude their IP ranges if they are verified as non-threatening.
 89
 90### Response and remediation
 91
 92- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
 93- Conduct a thorough examination of the system logs and network traffic to identify any unauthorized access or data exfiltration attempts.
 94- Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
 95- Change all administrative and user credentials on the affected system and any other systems that may have been accessed using the same credentials.
 96- Implement network segmentation to limit the exposure of critical systems and services, ensuring that RPC services are not accessible from the Internet.
 97- Monitor the network for any signs of re-infection or further suspicious activity, focusing on traffic patterns similar to those identified in the initial alert.
 98- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if additional systems are compromised."""
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1190"
105name = "Exploit Public-Facing Application"
106reference = "https://attack.mitre.org/techniques/T1190/"
107
108
109[rule.threat.tactic]
110id = "TA0001"
111name = "Initial Access"
112reference = "https://attack.mitre.org/tactics/TA0001/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

RPC enables remote management and resource sharing, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic by monitoring TCP port 135 and filtering out internal IP addresses, flagging potential threats from external sources.

  • Review the source IP address of the alert to determine if it is from a known malicious actor or if it has been flagged in previous incidents.
  • Check the destination IP address to confirm it belongs to a critical internal system that should not be exposed to the Internet.
  • Analyze network traffic logs to identify any unusual patterns or volumes of traffic associated with the source IP, focusing on TCP port 135.
  • Investigate any related alerts or logs from the same source IP or destination IP to identify potential patterns or repeated attempts.
  • Assess the potential impact on the affected system by determining if any unauthorized access or changes have occurred.
  • Consult threat intelligence sources to gather additional context on the source IP or any related indicators of compromise.
  • Internal testing or development environments may generate RPC traffic that appears to originate from external sources. To manage this, add the IP addresses of these environments to the exception list in the detection rule.
  • Legitimate remote management activities by trusted third-party vendors could trigger the rule. Verify the IP addresses of these vendors and include them in the exception list if they are known and authorized.
  • Misconfigured network devices or proxies might route internal RPC traffic through external IP addresses. Review network configurations to ensure proper routing and add any necessary exceptions for known devices.
  • Cloud-based services or applications that use RPC for legitimate purposes might be flagged. Identify these services and adjust the rule to exclude their IP ranges if they are verified as non-threatening.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
  • Conduct a thorough examination of the system logs and network traffic to identify any unauthorized access or data exfiltration attempts.
  • Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
  • Change all administrative and user credentials on the affected system and any other systems that may have been accessed using the same credentials.
  • Implement network segmentation to limit the exposure of critical systems and services, ensuring that RPC services are not accessible from the Internet.
  • Monitor the network for any signs of re-infection or further suspicious activity, focusing on traffic patterns similar to those identified in the initial alert.
  • Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if additional systems are compromised.

References

Related rules

to-top