RPC (Remote Procedure Call) from the Internet
editRPC (Remote Procedure Call) from the Internet
editThis rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Rule type: query
Rule indices:
- packetbeat-*
- auditbeat-*
- filebeat-*
- logs-network_traffic.*
- logs-panw.panos*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Tactic: Initial Access
- Domain: Endpoint
- Use Case: Threat Detection
- Data Source: PAN-OS
Version: 104
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edit(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and
not source.ip:(
10.0.0.0/8 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.2.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.168.0.0/16 or
192.88.99.0/24 or
224.0.0.0/4 or
100.64.0.0/10 or
192.175.48.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
) and
destination.ip:(
10.0.0.0/8 or
172.16.0.0/12 or
192.168.0.0/16
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/