RPC (Remote Procedure Call) from the Internet
This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by
13system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
14directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
15backdoor vector.
16"""
17from = "now-9m"
18index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "RPC (Remote Procedure Call) from the Internet"
22references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
23risk_score = 73
24rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
25severity = "high"
26tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
27timestamp_override = "event.ingested"
28type = "query"
29
30query = '''
31(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
32 network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
33 not source.ip:(
34 10.0.0.0/8 or
35 127.0.0.0/8 or
36 169.254.0.0/16 or
37 172.16.0.0/12 or
38 192.0.0.0/24 or
39 192.0.0.0/29 or
40 192.0.0.8/32 or
41 192.0.0.9/32 or
42 192.0.0.10/32 or
43 192.0.0.170/32 or
44 192.0.0.171/32 or
45 192.0.2.0/24 or
46 192.31.196.0/24 or
47 192.52.193.0/24 or
48 192.168.0.0/16 or
49 192.88.99.0/24 or
50 224.0.0.0/4 or
51 100.64.0.0/10 or
52 192.175.48.0/24 or
53 198.18.0.0/15 or
54 198.51.100.0/24 or
55 203.0.113.0/24 or
56 240.0.0.0/4 or
57 "::1" or
58 "FE80::/10" or
59 "FF00::/8"
60 ) and
61 destination.ip:(
62 10.0.0.0/8 or
63 172.16.0.0/12 or
64 192.168.0.0/16
65 )
66'''
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1190"
73name = "Exploit Public-Facing Application"
74reference = "https://attack.mitre.org/techniques/T1190/"
75
76
77[rule.threat.tactic]
78id = "TA0001"
79name = "Initial Access"
80reference = "https://attack.mitre.org/tactics/TA0001/"
References
-
0.0.0.0/8 "This network" [RFC791], Section 3.2 1981-09 N/A True False False False True 0.0.0.0/32 "This host on this network" [RFC1122], Section 3.2.1.3 1981-09 N/A True False False False True 10.0...
Read More
Related rules
- Accepted Default Telnet Port Connection
- RPC (Remote Procedure Call) to the Internet
- SMB (Windows File Sharing) Activity to the Internet
- Unusual Linux Username
- Unusual Windows Remote User