Detecting External RPC Traffic for Initial Access

This detection rule identifies RPC traffic originating from the internet, which can indicate malicious activity. RPC is used for remote system administration and resource sharing but should rarely be exposed to the internet. Threat actors frequently target RPC for initial access or as a backdoor. This rule analyzes network traffic, specifically looking for TCP connections to port 135 (a common RPC port) originating from outside the internal network. The rule aims to detect unauthorized attempts to access or control systems via RPC from external sources, enhancing network security and preventing potential breaches. The rule was last updated on 2026-04-24.

Attack Chain

1. An attacker scans the internet for systems with exposed RPC services on TCP port 135.
2. The attacker establishes a TCP connection to the target system’s port 135.
3. The attacker attempts to negotiate an RPC connection, potentially exploiting vulnerabilities in the RPC service.
4. Successful exploitation allows the attacker to execute commands remotely on the target system.
5. The attacker uses the compromised system to perform reconnaissance, gathering information about the internal network.
6. The attacker attempts lateral movement to other systems within the network, using the initial foothold.
7. The attacker installs malware or creates a backdoor for persistent access.

Impact

Successful exploitation of exposed RPC services can lead to complete system compromise, allowing attackers to execute arbitrary commands, install malware, and steal sensitive data. This can result in data breaches, financial loss, and reputational damage. The rule aims to prevent attackers from gaining initial access to internal systems, mitigating the risk of wider network compromise.

Recommendation

• Deploy the Sigma rule “Detect RPC from Internet” to your SIEM to identify potentially malicious connections to port 135.
• Review and harden systems that provide RPC services to ensure they are not directly exposed to the internet, as detected by the rule “Detect RPC from Internet”.
• Enforce network segmentation to limit the exposure of critical systems and services, preventing RPC services from being accessible from the Internet (reference: note section in the rule).
• Investigate any alerts generated by the Sigma rule by examining the source and destination IP addresses and related network traffic logs (reference: note section in the rule).