
Summary
This detection rule targets the misuse of the Remote Procedure Call (RPC) service, specifically identifying potentially abusive remote encryption service access attempts via MS-SRVS. The focus is on monitoring EventLog messages from the RPC firewall, particularly filtering for events (EventID 3) associated with a specific interface UUID (4b324fc8-1670-01d3-1278-5a47bf6ee188). By applying this rule, security professionals can detect unauthorized lateral movement across the network where attackers might exploit remote services to gain access to secure systems or sensitive data. If a match is found, it indicates that an RPC call may be attempting to exploit services beyond what is considered normal operational usage. The rule is relevant to environments utilizing an RPC firewall and helps enhance network security by allowing organizations to respond swiftly to suspicious activity. The implementation requires prior setup of the RPC Firewall and configuring audit settings to block unauthorized actions.
Categories
- Endpoint
- Network
- Windows
Data Sources
- Application Log
- Process
Created: 2022-01-01