Suspicious Remote Execution

Triggers

• An internal host is utilizing the SMB or DCE RPC protocol to make one or more suspicious RPC requests and referencing functions related to remote execution of code
• The combination of source host, destination host, user account and RPC UUID has not previously been observed

Possible Root Causes

• An infected host, a malicious insider or a red team participant who is in control of the host is trying to spread laterally by executing code on systems to which it has connected
• Newly installed software or software that is infrequently used is legitimately making use of remote execution RPCs; this behavior is relatively common for system management software

Business Impact

• Lateral movement via remote execution is a key element of many different attacks and the SMB channel allows both for the copying of executables and the use of RPCs to execute them
• Even systems which are permitted to perform remote execution should be monitored because those systems are the most valuable for an attacker to compromise

Steps to Verify

1. Determine whether the internal host in question should be using remote execution RPCs
2. Determine whether the user account flagged in the detection is one with administrative privileges and whether that administrator logged into the host which triggered the detection
3. Determine whether the user account flagged in the detection is a service account associated with a specific product and whether that product should be running on the host which triggered the detection
4. Determine which process on the internal host is initiating the SMB requests that includes the RPC request; in Windows systems, this can be done using a combination of netstat and tasklist commands
5. Verify that the process should be running on the internal host and whether the process is configured correctly