The RPC Targeted Recon detection enhances Vectra’s detection capabilities for early stage targeted reconnaissance of another host or of the DC. The RPC commands support a wide range of operations that can allow for an attacker to gain access to information about the environment including details about who owns a host, what information resides on a host, what permissions a host has and what shares are available. Specific function calls are often leveraged when attackers want to dump credentials and escalate their privilege in the network. This detection learns baselines for what clients and servers normally do in the network related to reconnaissance like RPC function calls and then alerts when anomalous calls are made by a host.
Triggers
- This host is making one or more RPC function calls indicative of information gathering to one or more other hosts
- The RPC function calls related to information gathering being made differ from ones normally made by this host or received by the target host
Possible Root Causes
- An attacker is active inside the network and is mining information from individual hosts in order to better understand the usefulness of the target host to furthering the attack
- The information mined may include recently logged on accounts, running services, available network shares, or password hashes
- An admin is completing authorized system management activity
- Endpoint management software installed on a central server is performing periodic system • management activity
- Specialized hardware, including IoT, is utilizing RPC for peer discovery and identification
Business Impact
- Retrieval of a key host’s information is an effective way for an attacker to further a “low-andslow” attack on an organization’s network
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep, a port scan, or even the widespread use of RPCs to many hosts, so attackers feel they can use it with relatively little risk of detection
Why attackers use RPC
Attackers, when they get into the environment, they connect their C2 and begin controlling an internal host. That host won't really know anything about the environment and also will perform port scans and port sweeps to recon the environment to find out what machines are available what subnets are active and what ports are open on different hosts.
While these information are valuable to get a general map of the environment, they might not be sufficient for the attackers to know where to go next to execute their goal and objective.
So what they would do in addition to port scans and port sweeps, they are going to ask very direct questions to various hosts in the environment using remote procedures protocols.
How to detects RPC recon with Vectra AI
Types of questions attackers using RPC are asking
- What group memberships are set?
This is key for an attacker to understand the environment as a whole and knowing where users will connect within the environment. This is underpinned by the SamrGetMembersInGroup function call. - What shared resources are present on this machine?
This allows the attacker to understand if there is valuable resources on that target, like sensitive files that may be the objective of the attacker. This is done using the NetrShareEnum command. - Let me be the Domain Controller
The most dangerous and malicious example where the attacker does not ask a question but make a statement enabling him to impersonate the domain controller. This is part of a DCShadow attack that can be achieved through Mimikatz to gain expansive access to the environment. This can be done via various commands including the DRSReplicaAdd function.
