The "RPC Targeted Recon" detection focuses on identifying attempts to gather information about network resources and services using the Remote Procedure Call (RPC) protocol. RPC is widely used for communication between systems, and attackers often exploit it to enumerate and discover details about network shares, services, users, and other resources. Detecting RPC targeted reconnaissance is crucial to prevent potential privilege escalation, lateral movement, and further exploitation within the network.
Attackers, when they get into the environment, they connect their C2 and begin controlling an internal host. That host won't really know anything about the environment and also will perform port scans and port sweeps to recon the environment to find out what machines are available what subnets are active and what ports are open on different hosts.
While these information are valuable to get a general map of the environment, they might not be sufficient for the attackers to know where to go next to execute their goal and objective.
So what they would do in addition to port scans and port sweeps, they are going to ask very direct questions to various hosts in the environment using remote procedures protocols.
The RPC Targeted Recon detection enhances Vectra’s detection capabilities for early stage targeted reconnaissance of another host or of the DC. The RPC commands support a wide range of operations that can allow for an attacker to gain access to information about the environment including details about who owns a host, what information resides on a host, what permissions a host has and what shares are available. Specific function calls are often leveraged when attackers want to dump credentials and escalate their privilege in the network. This detection learns baselines for what clients and servers normally do in the network related to reconnaissance like RPC function calls and then alerts when anomalous calls are made by a host.
Scenario 1: An attacker uses a compromised system to perform RPC enumeration, targeting multiple hosts to gather information about shared resources, user accounts, and services. The detection is triggered by the high volume of RPC requests from a single IP address.
Scenario 2: During a penetration test, the security team runs a script to enumerate network shares and services using RPC. The detection is triggered, and the activity is verified as part of the scheduled assessment.
If this detection indicates a genuine threat, the organization faces significant risks:
Attackers can use gathered information to escalate privileges within the network.
Detailed knowledge of network resources can facilitate lateral movement and further attacks.
Unauthorized access to sensitive information and resources.
RPC targeted reconnaissance involves using the Remote Procedure Call (RPC) protocol to gather information about network resources, services, and user accounts, often as a precursor to further attacks.
Common signs include high-volume RPC requests, enumeration of network shares and services, and RPC traffic from unusual or untrusted sources.
Yes, legitimate administrative tasks, security assessments, or penetration tests can trigger this detection. It’s important to verify the context of the activity.
Vectra AI uses advanced AI algorithms to analyze RPC traffic and identify patterns indicative of reconnaissance, correlating these with other suspicious behaviors.
The primary risks are privilege escalation, lateral movement, data breaches, and operational disruptions, which can lead to significant harm to the organization.
Monitor for unusual or high-volume RPC requests, especially those targeting multiple hosts or services, and analyze traffic patterns that deviate from normal behavior.
It can lead to privilege escalation, lateral movement, unauthorized access to sensitive information, and potential operational disruptions.
Investigate the source of the RPC requests, verify if they are authorized, check for other signs of malicious activity, and secure sensitive information and systems.
Tools like network traffic analyzers, security information and event management (SIEM) systems, and specialized monitoring solutions can help identify and verify RPC reconnaissance activities.
Implement strong access controls, monitor RPC traffic, set up alerts for unusual activity, and regularly audit network configurations and user activity.