RPC (Remote Procedure Call) to the Internet

This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by
 11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 13backdoor vector.
 14"""
 15from = "now-9m"
 16index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "RPC (Remote Procedure Call) to the Internet"
 20references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 21risk_score = 73
 22rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 23severity = "high"
 24tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
 25timestamp_override = "event.ingested"
 26type = "query"
 27
 28query = '''
 29(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
 30  network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
 31  source.ip:(
 32    10.0.0.0/8 or
 33    172.16.0.0/12 or
 34    192.168.0.0/16
 35  ) and
 36  not destination.ip:(
 37    10.0.0.0/8 or
 38    127.0.0.0/8 or
 39    169.254.0.0/16 or
 40    172.16.0.0/12 or
 41    192.0.0.0/24 or
 42    192.0.0.0/29 or
 43    192.0.0.8/32 or
 44    192.0.0.9/32 or
 45    192.0.0.10/32 or
 46    192.0.0.170/32 or
 47    192.0.0.171/32 or
 48    192.0.2.0/24 or
 49    192.31.196.0/24 or
 50    192.52.193.0/24 or
 51    192.168.0.0/16 or
 52    192.88.99.0/24 or
 53    224.0.0.0/4 or
 54    100.64.0.0/10 or
 55    192.175.48.0/24 or
 56    198.18.0.0/15 or
 57    198.51.100.0/24 or
 58    203.0.113.0/24 or
 59    240.0.0.0/4 or
 60    "::1" or
 61    "FE80::/10" or
 62    "FF00::/8"
 63  )
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating RPC (Remote Procedure Call) to the Internet
 71
 72RPC enables remote management and resource sharing across networks, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic from internal IPs to external networks, flagging potential exploitation attempts by monitoring specific ports and IP ranges.
 73
 74### Possible investigation steps
 75
 76- Review the source IP address from the alert to identify the internal system initiating the RPC traffic. Check if this IP belongs to a known or authorized device within the network.
 77- Examine the destination IP address to determine if it is a known or suspicious external entity. Use threat intelligence sources to assess if the IP has been associated with malicious activity.
 78- Analyze the network traffic logs for the specific event.dataset values (network_traffic.flow or zeek.dce_rpc) to gather more context about the nature and volume of the RPC traffic.
 79- Investigate the destination port, specifically port 135, to confirm if the traffic is indeed RPC-related and assess if there are any legitimate reasons for this communication.
 80- Check for any recent changes or anomalies in the network configuration or system settings of the source IP that might explain the unexpected RPC traffic.
 81- Correlate this alert with other security events or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.
 82
 83### False positive analysis
 84
 85- Internal testing environments may generate RPC traffic to external IPs for legitimate purposes. Identify and document these environments, then create exceptions in the detection rule to prevent unnecessary alerts.
 86- Cloud-based services or applications that require RPC communication for integration or management might trigger false positives. Review these services and whitelist their IP addresses if they are verified as non-threatening.
 87- VPN or remote access solutions that use RPC for secure connections can be mistaken for suspicious activity. Ensure that the IP ranges of these solutions are excluded from the rule to avoid false alerts.
 88- Automated backup or synchronization tools that use RPC to communicate with external servers could be flagged. Verify these tools and add their destination IPs to an exception list if they are part of routine operations.
 89
 90### Response and remediation
 91
 92- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 93- Conduct a thorough analysis of the affected system to identify any unauthorized changes or installed backdoors, focusing on processes and services related to RPC.
 94- Revoke any compromised credentials and enforce a password reset for all accounts that may have been accessed or used during the incident.
 95- Apply necessary patches and updates to the affected system and any other systems with similar vulnerabilities to mitigate the risk of exploitation.
 96- Monitor network traffic for any signs of lateral movement or additional suspicious activity, particularly focusing on RPC-related traffic.
 97- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 98- Implement enhanced logging and monitoring for RPC traffic to detect and respond to similar threats more effectively in the future."""
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1190"
105name = "Exploit Public-Facing Application"
106reference = "https://attack.mitre.org/techniques/T1190/"
107
108
109[rule.threat.tactic]
110id = "TA0001"
111name = "Initial Access"
112reference = "https://attack.mitre.org/tactics/TA0001/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

RPC enables remote management and resource sharing across networks, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic from internal IPs to external networks, flagging potential exploitation attempts by monitoring specific ports and IP ranges.

  • Review the source IP address from the alert to identify the internal system initiating the RPC traffic. Check if this IP belongs to a known or authorized device within the network.
  • Examine the destination IP address to determine if it is a known or suspicious external entity. Use threat intelligence sources to assess if the IP has been associated with malicious activity.
  • Analyze the network traffic logs for the specific event.dataset values (network_traffic.flow or zeek.dce_rpc) to gather more context about the nature and volume of the RPC traffic.
  • Investigate the destination port, specifically port 135, to confirm if the traffic is indeed RPC-related and assess if there are any legitimate reasons for this communication.
  • Check for any recent changes or anomalies in the network configuration or system settings of the source IP that might explain the unexpected RPC traffic.
  • Correlate this alert with other security events or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.
  • Internal testing environments may generate RPC traffic to external IPs for legitimate purposes. Identify and document these environments, then create exceptions in the detection rule to prevent unnecessary alerts.
  • Cloud-based services or applications that require RPC communication for integration or management might trigger false positives. Review these services and whitelist their IP addresses if they are verified as non-threatening.
  • VPN or remote access solutions that use RPC for secure connections can be mistaken for suspicious activity. Ensure that the IP ranges of these solutions are excluded from the rule to avoid false alerts.
  • Automated backup or synchronization tools that use RPC to communicate with external servers could be flagged. Verify these tools and add their destination IPs to an exception list if they are part of routine operations.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Conduct a thorough analysis of the affected system to identify any unauthorized changes or installed backdoors, focusing on processes and services related to RPC.
  • Revoke any compromised credentials and enforce a password reset for all accounts that may have been accessed or used during the incident.
  • Apply necessary patches and updates to the affected system and any other systems with similar vulnerabilities to mitigate the risk of exploitation.
  • Monitor network traffic for any signs of lateral movement or additional suspicious activity, particularly focusing on RPC-related traffic.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement enhanced logging and monitoring for RPC traffic to detect and respond to similar threats more effectively in the future.

References

Related rules

to-top