Skip to content
Threat Feed
high advisory

Detecting RPC Traffic to the Internet

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.

The Remote Procedure Call (RPC) protocol, while essential for legitimate system administration tasks such as remote maintenance and resource sharing within internal networks, poses a significant security risk when exposed to the internet. Threat actors frequently target and exploit RPC services as an initial access vector or to establish backdoors within compromised systems. This exposure allows attackers to remotely execute commands, move laterally within the network, and potentially exfiltrate sensitive data. This brief provides detection strategies to identify such anomalous RPC traffic, enabling security teams to proactively mitigate potential threats. The detection focuses on identifying TCP traffic to port 135 from internal IP ranges to external IP addresses.

Attack Chain

  1. The attacker compromises a host within the internal network, potentially through phishing or exploiting a vulnerability.
  2. The compromised host initiates an RPC connection to an external IP address on TCP port 135.
  3. The attacker uses the RPC connection to enumerate network resources and identify potential targets for lateral movement.
  4. Using the RPC connection, the attacker attempts to authenticate to other systems within the network.
  5. Upon successful authentication, the attacker remotely executes commands on the target system via RPC.
  6. The attacker installs malware or a backdoor on the target system for persistence.
  7. The attacker leverages the established foothold to further propagate within the network, compromising additional systems.

Impact

Successful exploitation of RPC services exposed to the internet can lead to a complete compromise of the internal network. Attackers can gain initial access, move laterally, exfiltrate sensitive data, deploy ransomware, or disrupt critical business operations. A single exposed RPC service can serve as a gateway for widespread damage.

Recommendation

  • Implement the provided Sigma rule to detect RPC traffic from internal IP ranges to external destinations on TCP port 135, focusing on network traffic logs.
  • Investigate any alerts generated by the Sigma rule, prioritizing systems exhibiting suspicious RPC activity (Sigma rule, logsource: network_connection).
  • Ensure that RPC services are not directly exposed to the internet. Implement firewall rules to restrict access to authorized internal IP ranges only.
  • Continuously monitor network traffic for anomalous RPC activity and correlate with other security events (logsource: network_connection).
  • Review and update firewall configurations to block unauthorized outbound connections on port 135 (logsource: firewall).

Detection coverage 2

Detect Outbound RPC Traffic

high

Detects RPC traffic (port 135) originating from internal networks to external IP addresses.

sigma tactics: initial_access, lateral_movement techniques: T1021, T1021.003, T1190 sources: network_connection, windows

Detect Outbound RPC Traffic (Zeek)

high

Detects RPC traffic (port 135) originating from internal networks to external IP addresses using Zeek logs.

sigma tactics: initial_access, lateral_movement techniques: T1021, T1021.003, T1190 sources: network_connection, zeek

Detection queries are kept inside the platform. Get full rules →