RPC Recon

Triggers

• This host is making RPC calls to a large number of other hosts
• The number of hosts being contacted far exceeds the number of hosts normally contacted as observed on this network

Possible Root Causes

• An attacker is active inside the network and is mining information from individual hosts in order to build a better map of assets in the network
• The information mined can include what accounts have recently logged into which hosts and can be used in deciding where to steal privileged account credentials
• An admin is completing authorized system management activity
• Endpoint management software installed on a central server is performing periodic system management activity
• Specialized hardware, including IoT, is utilizing RPC for peer discovery and identification

Business Impact

• A scan of neighboring hosts’ information is an effective way for an attacker to complete a detailed map of what happens where inside the target organization’s network
• Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
• This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

• Examine the local logs on the host making the RPC queries for a more detailed view of activity by this host • Inquire whether the host should be contacting the hosts listed in the detection • If the behavior continues and remains unexplained, determine which process on the internal host is establishing the connections over which the RPC requests are made; in Windows systems, this can be done using a combination of netstat and tasklist commands