• This host is making RPC calls to a large number of other hosts
  • The number of hosts being contacted far exceeds the number of hosts normally contacted as observed on this network

Possible Root Causes

  • An attacker is active inside the network and is mining information from individual hosts in order to build a better map of assets in the network
  • The information mined can include what accounts have recently logged into which hosts and can be used in deciding where to steal privileged account credentials
  • An admin is completing authorized system management activity
  • Endpoint management software installed on a central server is performing periodic system management activity
  • Specialized hardware, including IoT, is utilizing RPC for peer discovery and identification

Business Impact

  • A scan of neighboring hosts’ information is an effective way for an attacker to complete a detailed map of what happens where inside the target organization’s network
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  • Examine the local logs on the host making the RPC queries for a more detailed view of activity by this host • Inquire whether the host should be contacting the hosts listed in the detection • If the behavior continues and remains unexplained, determine which process on the internal host is establishing the connections over which the RPC requests are made; in Windows systems, this can be done using a combination of netstat and tasklist commands