Triggers
- This host is making RPC calls to a large number of other hosts
- The number of hosts being contacted far exceeds the number of hosts normally contacted as observed on this network
Possible Root Causes
- An attacker is active inside the network and is mining information from individual hosts in order to build a better map of assets in the network
- The information mined can include what accounts have recently logged into which hosts and can be used in deciding where to steal privileged account credentials
- An admin is completing authorized system management activity
- Endpoint management software installed on a central server is performing periodic system management activity
- Specialized hardware, including IoT, is utilizing RPC for peer discovery and identification
Business Impact
- A scan of neighboring hosts’ information is an effective way for an attacker to complete a detailed map of what happens where inside the target organization’s network
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
Steps to Verify
- Examine the local logs on the host making the RPC queries for a more detailed view of activity by this host • Inquire whether the host should be contacting the hosts listed in the detection • If the behavior continues and remains unexplained, determine which process on the internal host is establishing the connections over which the RPC requests are made; in Windows systems, this can be done using a combination of netstat and tasklist commands