Triggers
- An internal host is utilizing the SMB or DCE RPC protocol to make one or more suspicious RPC requests and referencing functions related to remote execution of code
- The combination of source host, destination host, user account and RPC UUID has not previously been observed
Possible Root Causes
- An infected host, a malicious insider or a red team participant who is in control of the host is trying to spread laterally by executing code on systems to which it has connected
- Newly installed software or software that is infrequently used is legitimately making use of remote execution RPCs; this behavior is relatively common for system management software
Business Impact
- Lateral movement via remote execution is a key element of many different attacks and the SMB channel allows both for the copying of executables and the use of RPCs to execute them
- Even systems which are permitted to perform remote execution should be monitored because those systems are the most valuable for an attacker to compromise
Steps to Verify
- Determine whether the internal host in question should be using remote execution RPCs
- Determine whether the user account flagged in the detection is one with administrative privileges and whether that administrator logged into the host which triggered the detection
- Determine whether the user account flagged in the detection is a service account associated with a specific product and whether that product should be running on the host which triggered the detection
- Determine which process on the internal host is initiating the SMB requests that includes the RPC request; in Windows systems, this can be done using a combination of netstat and tasklist commands
- Verify that the process should be running on the internal host and whether the process is configured correctly