D3-RTA
Definition
Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
How it works
A remote procedure call (RPC) enables one computer to execute a specific function on another computer, as if it were a local application process. There are numerous RPC specifications and implementations. RPC capabilities can be abused by attackers in order to achieve a variety of tactical objectives including execution, persistence, initial access, and more. RPC proxies may be used to collect and store RPC traffic. RPCs can occur over network sockets or named pipes.
Analytics look for unauthorized behavior such as:
•Processes being launched or scheduled remotely
•System configurations being changed remotely
•Unauthorized file read activity
Example RPC Protocols:
•DCE/RPC
•CORBA
•Open Network Computing Remote Procedure Call
•D-Bus
•XML-RPC
•JSON-RPC
•SOAP
•Apache Thrift
Considerations
•RPC is widely used in enterprise environments, and significant data filtering may be required in large environments to enable analytic processing.
•RPC traffic may occur over a pipe, or within a host over loopback interface, thus making network collection difficult.
Artifact Relationships
This defensive technique relates to specific digital artifacts.