1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.",
6  "from": "now-9m",
7  "index": [
8    "auditbeat-*",
9    "filebeat-*",
10    "packetbeat-*",
11    "logs-endpoint.events.*"
12  ],
13  "language": "kuery",
14  "license": "Elastic License v2",
15  "name": "RPC (Remote Procedure Call) from the Internet",
16  "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n  not source.ip:(\n    10.0.0.0/8 or\n    127.0.0.0/8 or\n    169.254.0.0/16 or\n    172.16.0.0/12 or\n    192.0.0.0/24 or\n    192.0.0.0/29 or\n    192.0.0.8/32 or\n    192.0.0.9/32 or\n    192.0.0.10/32 or\n    192.0.0.170/32 or\n    192.0.0.171/32 or\n    192.0.2.0/24 or\n    192.31.196.0/24 or\n    192.52.193.0/24 or\n    192.168.0.0/16 or\n    192.88.99.0/24 or\n    224.0.0.0/4 or\n    100.64.0.0/10 or\n    192.175.48.0/24 or\n    198.18.0.0/15 or\n    198.51.100.0/24 or\n    203.0.113.0/24 or\n    240.0.0.0/4 or\n    \"::1\" or\n    \"FE80::/10\" or\n    \"FF00::/8\"\n  ) and\n  destination.ip:(\n    10.0.0.0/8 or\n    172.16.0.0/12 or\n    192.168.0.0/16\n  )\n",
17  "references": [
18    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
19  ],
20  "risk_score": 73,
21  "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a",
22  "severity": "high",
23  "tags": [
24    "Elastic",
25    "Host",
26    "Network",
27    "Threat Detection",
28    "Initial Access",
29    "Host"
30  ],
31  "threat": [
32    {
33      "framework": "MITRE ATT&CK",
34      "tactic": {
35        "id": "TA0001",
36        "name": "Initial Access",
37        "reference": "https://attack.mitre.org/tactics/TA0001/"
38      },
39      "technique": [
40        {
41          "id": "T1190",
42          "name": "Exploit Public-Facing Application",
43          "reference": "https://attack.mitre.org/techniques/T1190/"
44        }
45      ]
46    }
47  ],
48  "timestamp_override": "event.ingested",
49  "type": "query",
50  "version": 11
51}
52