RPC (Remote Procedure Call) to the Internet

calendar Oct 3, 2023 · Tactic: Initial Access Domain: Endpoint Use Case: Threat Detection  ·
Share on: linkedin copy

This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/17"
 8
 9
10[rule]
11author = ["Elastic"]
12description = """
13This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by
14system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
15directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
16backdoor vector.
17"""
18from = "now-9m"
19index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "RPC (Remote Procedure Call) to the Internet"
23references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
24risk_score = 73
25rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
26severity = "high"
27tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
33  network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
34  source.ip:(
35    10.0.0.0/8 or
36    172.16.0.0/12 or
37    192.168.0.0/16
38  ) and
39  not destination.ip:(
40    10.0.0.0/8 or
41    127.0.0.0/8 or
42    169.254.0.0/16 or
43    172.16.0.0/12 or
44    192.0.0.0/24 or
45    192.0.0.0/29 or
46    192.0.0.8/32 or
47    192.0.0.9/32 or
48    192.0.0.10/32 or
49    192.0.0.170/32 or
50    192.0.0.171/32 or
51    192.0.2.0/24 or
52    192.31.196.0/24 or
53    192.52.193.0/24 or
54    192.168.0.0/16 or
55    192.88.99.0/24 or
56    224.0.0.0/4 or
57    100.64.0.0/10 or
58    192.175.48.0/24 or
59    198.18.0.0/15 or
60    198.51.100.0/24 or
61    203.0.113.0/24 or
62    240.0.0.0/4 or
63    "::1" or
64    "FE80::/10" or
65    "FF00::/8"
66  )
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1190"
74name = "Exploit Public-Facing Application"
75reference = "https://attack.mitre.org/techniques/T1190/"
76
77
78[rule.threat.tactic]
79id = "TA0001"
80name = "Initial Access"
81reference = "https://attack.mitre.org/tactics/TA0001/"

References

  • IANA IPv4 Special-Purpose Address Registry

    0.0.0.0/8 "This network" [RFC791], Section 3.2 1981-09 N/A True False False False True 0.0.0.0/32 "This host on this network" [RFC1122], Section 3.2.1.3 1981-09 N/A True False False False True 10.0...


    Read More

Related rules

to-top