The RPC Targeted Recon detection enhances Vectra’s detection capabilities for early stage targeted reconnaissance of another host or of the DC. The RPC commands support a wide range of operations that can allow for an attacker to gain access to information about the environment including details about who owns a host, what information resides on a host, what permissions a host has and what shares are available. Specific function calls are often leveraged when attackers want to dump credentials and escalate their privilege in the network. This detection learns baselines for what clients and servers normally do in the network related to reconnaissance like RPC function calls and then alerts when anomalous calls are made by a host.
What is the RPC (Remote Procedure Call) protocol?
The RPC (Remote Procedure Call) protocol is a communication method used in computing to enable a program to request a service from a program located on another computer in a network without needing to understand network details. RPC abstracts the networking aspect, making it appear as though the procedure (or function) call happens within the local environment, rather than remotely.
Key characteristics of RPC
- Procedure Call Abstraction: It functions similarly to calling a local procedure or function in programming, with the key difference being that the procedure is executed on a remote machine.
- Client-Server Model: Typically, RPC operates on a client-server model, where the client initiates the request, and the server provides the service or response.
- Location Transparency: The client code in an RPC system is designed to call a local procedure, but the underlying framework translates this to a remote call, masking the complexity of the network communication.
- Synchronous or Asynchronous: RPC can be synchronous, where the client waits for the server to finish processing before continuing, or asynchronous, where the client continues with its process without waiting for the response.
- Interface Definition Language (IDL): In RPC systems, an IDL is often used to define the interfaces between client and server, ensuring they understand the data types and structures to be exchanged.
- Transport Protocols: RPC can use various underlying transport protocols like TCP, UDP, or even HTTP, depending on the requirements of the application.
- Use Cases: RPC is used in distributed computing environments, network services, and cloud services, facilitating interaction between software components distributed across different networked systems.
RPC has evolved over time, with various implementations and enhancements, including technologies like DCOM (Distributed Component Object Model), CORBA (Common Object Request Broker Architecture), and more recently, gRPC by Google, which is an open-source RPC system that uses HTTP/2 for transport and Protocol Buffers as the interface description language.
Why attackers use RPC
Attackers, when they get into the environment, they connect their C2 and begin controlling an internal host. That host won't really know anything about the environment and also will perform port scans and port sweeps to recon the environment to find out what machines are available what subnets are active and what ports are open on different hosts.
While these information are valuable to get a general map of the environment, they might not be sufficient for the attackers to know where to go next to execute their goal and objective.
So what they would do in addition to port scans and port sweeps, they are going to ask very direct questions to various hosts in the environment using remote procedures protocols.
How to detects RPC recon with Vectra AI
Types of questions attackers using RPC are asking
- What group memberships are set?
This is key for an attacker to understand the environment as a whole and knowing where users will connect within the environment. This is underpinned by the SamrGetMembersInGroup function call.
- What shared resources are present on this machine?
This allows the attacker to understand if there is valuable resources on that target, like sensitive files that may be the objective of the attacker. This is done using the NetrShareEnum command.
- Let me be the Domain Controller
The most dangerous and malicious example where the attacker does not ask a question but make a statement enabling him to impersonate the domain controller. This is part of a DCShadow attack that can be achieved through Mimikatz to gain expansive access to the environment. This can be done via various commands including the DRSReplicaAdd function.