Suspicious Remote Execution

Suspicious Remote Execution

Detection overview


  • An internal host is utilizing the SMB or DCE RPC protocol to make one or more suspicious RPC requests and referencing functions related to remote execution of code
  • The combination of source host, destination host, user account and RPC UUID has not previously been observed

Possible Root Causes

  • An infected host, a malicious insider or a red team participant who is in control of the host is trying to spread laterally by executing code on systems to which it has connected
  • Newly installed software or software that is infrequently used is legitimately making use of remote execution RPCs; this behavior is relatively common for system management software

Business Impact

  • Lateral movement via remote execution is a key element of many different attacks and the SMB channel allows both for the copying of executables and the use of RPCs to execute them
  • Even systems which are permitted to perform remote execution should be monitored because those systems are the most valuable for an attacker to compromise

Steps to Verify

  1. Determine whether the internal host in question should be using remote execution RPCs
  2. Determine whether the user account flagged in the detection is one with administrative privileges and whether that administrator logged into the host which triggered the detection
  3. Determine whether the user account flagged in the detection is a service account associated with a specific product and whether that product should be running on the host which triggered the detection
  4. Determine which process on the internal host is initiating the SMB requests that includes the RPC request; in Windows systems, this can be done using a combination of netstat and tasklist commands
  5. Verify that the process should be running on the internal host and whether the process is configured correctly
Suspicious Remote Execution

Possible root causes

Malicious Detection

Benign Detection

Suspicious Remote Execution

Example scenarios

Suspicious Remote Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Suspicious Remote Execution

Steps to investigate

Suspicious Remote Execution

Related detections

No items found.