Discovery
RPC Targeted Recon
Detection overview
The "RPC Targeted Recon" detection focuses on identifying attempts to gather information about network resources and services using the Remote Procedure Call (RPC) protocol. RPC is widely used for communication between systems, and attackers often exploit it to enumerate and discover details about network shares, services, users, and other resources. Detecting RPC targeted reconnaissance is crucial to prevent potential privilege escalation, lateral movement, and further exploitation within the network.
Why attackers use RPC
Attackers, when they get into the environment, they connect their C2 and begin controlling an internal host. That host won't really know anything about the environment and also will perform port scans and port sweeps to recon the environment to find out what machines are available what subnets are active and what ports are open on different hosts.
While these information are valuable to get a general map of the environment, they might not be sufficient for the attackers to know where to go next to execute their goal and objective.
So what they would do in addition to port scans and port sweeps, they are going to ask very direct questions to various hosts in the environment using remote procedures protocols.
The RPC Targeted Recon detection enhances Vectra’s detection capabilities for early stage targeted reconnaissance of another host or of the DC. The RPC commands support a wide range of operations that can allow for an attacker to gain access to information about the environment including details about who owns a host, what information resides on a host, what permissions a host has and what shares are available. Specific function calls are often leveraged when attackers want to dump credentials and escalate their privilege in the network. This detection learns baselines for what clients and servers normally do in the network related to reconnaissance like RPC function calls and then alerts when anomalous calls are made by a host.
Triggers
- This host is making one or more RPC function calls indicative of information gathering to one or more other hosts
- The RPC function calls related to information gathering being made differ from ones normally made by this host or received by the target host
Possible Root Causes
- An attacker is active inside the network and is mining information from individual hosts in order to better understand the usefulness of the target host to furthering the attack
- The information mined may include recently logged on accounts, running services, available network shares, or password hashes
- An admin is completing authorized system management activity
- Endpoint management software installed on a central server is performing periodic system • management activity
- Specialized hardware, including IoT, is utilizing RPC for peer discovery and identification
Business Impact
- Retrieval of a key host’s information is an effective way for an attacker to further a “low-andslow” attack on an organization’s network
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep, a port scan, or even the widespread use of RPCs to many hosts, so attackers feel they can use it with relatively little risk of detection
How to detects RPC recon with Vectra AI
Types of questions attackers using RPC are asking
- What group memberships are set?
This is key for an attacker to understand the environment as a whole and knowing where users will connect within the environment. This is underpinned by the SamrGetMembersInGroup function call. - What shared resources are present on this machine?
This allows the attacker to understand if there is valuable resources on that target, like sensitive files that may be the objective of the attacker. This is done using the NetrShareEnum command. - Let me be the Domain Controller
The most dangerous and malicious example where the attacker does not ask a question but make a statement enabling him to impersonate the domain controller. This is part of a DCShadow attack that can be achieved through Mimikatz to gain expansive access to the environment. This can be done via various commands including the DRSReplicaAdd function.
RPC Targeted Recon
Possible root causes
Malicious Detection
- An attacker is performing reconnaissance to gather information about the network for further exploitation.
- Use of automated tools or scripts to enumerate services and resources using RPC.
- Insider threat where an employee is intentionally gathering information about network resources for malicious purposes.
Benign Detection
- Legitimate administrative tasks involving network resource discovery and management.
- Security assessments or penetration tests involving RPC-based reconnaissance.
- Misconfigured systems or applications generating high-volume RPC requests.
RPC Targeted Recon
Example scenarios
Scenario 1: An attacker uses a compromised system to perform RPC enumeration, targeting multiple hosts to gather information about shared resources, user accounts, and services. The detection is triggered by the high volume of RPC requests from a single IP address.
Scenario 2: During a penetration test, the security team runs a script to enumerate network shares and services using RPC. The detection is triggered, and the activity is verified as part of the scheduled assessment.
The RPC Targeted Recon detection in action
See below how the Lapsus$ ransomware group uses MFA bypass to breach into corporate networks and learn why AI-driven detections are essential to finding similar attacks.
RPC Targeted Recon
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Privilege Escalation
Attackers can use gathered information to escalate privileges within the network.
Lateral Movement
Detailed knowledge of network resources can facilitate lateral movement and further attacks.
Data Breach
Unauthorized access to sensitive information and resources.
RPC Targeted Recon
Steps to investigate
Review RPC Traffic Logs
- Check logs for unusual or high-volume RPC requests, including timestamps, source IP addresses, and targeted services.
- Identify any patterns of enumeration or resource discovery activities.
Correlate with User Activity
- Verify if the RPC requests are associated with legitimate administrative tasks or business processes.
- Check for recent changes in user behavior, access patterns, or account privileges.
Examine Tools and Scripts
- Look for the presence of known RPC enumeration tools or scripts.
- Review any automated tasks or processes that may be causing the RPC reconnaissance activities.
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity associated with the same user or IP addresses.
- Verify if the detected activity is part of a scheduled security assessment or penetration test.
RPC Targeted Recon
MITRE ATT&CK techniques covered
FAQs
What is RPC targeted reconnaissance?
RPC targeted reconnaissance involves using the Remote Procedure Call (RPC) protocol to gather information about network resources, services, and user accounts, often as a precursor to further attacks.
What are the common signs of RPC targeted recon activities?
Common signs include high-volume RPC requests, enumeration of network shares and services, and RPC traffic from unusual or untrusted sources.
Can legitimate activities trigger the detection of RPC targeted reconnaissance?
Yes, legitimate administrative tasks, security assessments, or penetration tests can trigger this detection. It’s important to verify the context of the activity.
How does Vectra AI detect RPC targeted reconnaissance activities?
Vectra AI uses advanced AI algorithms to analyze RPC traffic and identify patterns indicative of reconnaissance, correlating these with other suspicious behaviors.
What is the business impact of RPC targeted reconnaissance?
The primary risks are privilege escalation, lateral movement, data breaches, and operational disruptions, which can lead to significant harm to the organization.
How can I detect RPC targeted recon activities in my environment?
Monitor for unusual or high-volume RPC requests, especially those targeting multiple hosts or services, and analyze traffic patterns that deviate from normal behavior.
Why is RPC targeted reconnaissance a significant threat?
It can lead to privilege escalation, lateral movement, unauthorized access to sensitive information, and potential operational disruptions.
What steps should I take if I detect RPC targeted reconnaissance?
Investigate the source of the RPC requests, verify if they are authorized, check for other signs of malicious activity, and secure sensitive information and systems.
What tools can help verify the presence of RPC targeted recon activities?
Tools like network traffic analyzers, security information and event management (SIEM) systems, and specialized monitoring solutions can help identify and verify RPC reconnaissance activities.
How can I prevent unauthorized RPC targeted reconnaissance?
Implement strong access controls, monitor RPC traffic, set up alerts for unusual activity, and regularly audit network configurations and user activity.