- An attacker gains initial access to an internal host, uses RPC to deploy malware on a file server, and establishes persistence for further compromise.
- IT deploys new endpoint management software that uses RPC calls for installing updates across the organization.
Suspicious Remote Execution
Detection overview
The "Suspicious Remote Execution" detection identifies unusual activity where internal hosts use protocols such as SMB or DCE/RPC to execute remote code. This detection is critical as remote execution capabilities are commonly exploited by attackers to move laterally within a network.
Triggers
- An internal host is utilizing the SMB or DCE RPC protocol to make one or more suspicious RPC requests and referencing functions related to remote execution of code
- The combination of source host, destination host, user account and RPC UUID has not previously been observed
Possible Root Causes
- An infected host, a malicious insider or a red team participant who is in control of the host is trying to spread laterally by executing code on systems to which it has connected
- Newly installed software or software that is infrequently used is legitimately making use of remote execution RPCs; this behavior is relatively common for system management software
Business Impact
- Lateral movement via remote execution is a key element of many different attacks and the SMB channel allows both for the copying of executables and the use of RPCs to execute them
- Even systems which are permitted to perform remote execution should be monitored because those systems are the most valuable for an attacker to compromise
Steps to Verify
- Determine whether the internal host in question should be using remote execution RPCs
- Determine whether the user account flagged in the detection is one with administrative privileges and whether that administrator logged into the host which triggered the detection
- Determine whether the user account flagged in the detection is a service account associated with a specific product and whether that product should be running on the host which triggered the detection
- Determine which process on the internal host is initiating the SMB requests that includes the RPC request; in Windows systems, this can be done using a combination of netstat and tasklist commands
- Verify that the process should be running on the internal host and whether the process is configured correctly
Suspicious Remote Execution
Possible root causes
Malicious Detection
An attacker controlling a compromised host may attempt lateral movement to execute malicious code on connected systems. This tactic is typically employed to establish deeper footholds, escalate privileges, or disrupt operations through malware deployment or data exfiltration.
Benign Detection
Legitimate software, especially system management tools, may use remote execution RPCs for updates, troubleshooting, or configuration changes. Newly installed or rarely used software can also exhibit similar behavior, prompting the detection.
Suspicious Remote Execution
Example scenarios
Suspicious Remote Execution
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Lateral movement risk
Enables attackers to propagate malware or gain access to critical systems, heightening the risk of widespread compromise.
Compromise of valuable systems
Targets with remote execution capabilities are high-value assets, making their compromise significantly impactful.
Operational disruption
Increases the risk of malicious code causing outages, affecting business continuity and financial stability.
Suspicious Remote Execution
Steps to investigate
Verify intent of the remote execution
Confirm whether the flagged host should legitimately use RPCs for remote execution.
Examine account privileges
Check if the user account associated with the activity holds administrative privileges. Validate login activity on the triggering host.
Inspect host processes
Use tools like netstat and tasklist on Windows systems to identify which process initiated the RPC request.
Assess software configurations
Validate that the initiating process is authorized and appropriately configured for the host environment.
Suspicious Remote Execution
MITRE ATT&CK techniques covered
Suspicious Remote Execution
Related detections
FAQs
What is the primary cause of this detection?
Suspicious RPC requests for remote execution, often linked to unauthorized software or malicious actors.
What protocols are involved in this detection?
SMB and DCE/RPC are the most common protocols flagged.
What tools can assist in investigating this detection?
Windows utilities like netstat and tasklist are helpful.
Should I disable remote execution entirely?
No, it is often essential for legitimate administrative tasks but should be tightly controlled and monitored.
Is this detection a precursor to ransomware attacks?
It can be, especially if attackers exploit remote execution for lateral movement.
Could legitimate software trigger this detection?
Yes, system management tools or infrequent software can sometimes cause this alert.
How can I differentiate between malicious and benign activities?
Cross-check host activities, user roles, and software legitimacy.
Are specific user roles more likely to trigger this detection?
Yes, administrative accounts and their activities are more prone to such detections.
What data logs are useful for validation?
Network logs and host-level process activity are key to investigation.
Can external threat intelligence help here?
Yes, integrating threat intelligence feeds can help correlate suspicious RPC activities with known attack patterns.