RPC Traffic Analysis
Definition
Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
Synonyms: RPC Protocol Analysis .How it works
A remote procedure call (RPC) enables one computer to execute a specific function on another computer, as if it were a local application process. There are numerous RPC specifications and implementations. RPC capabilities can be abused by attackers in order to achieve a variety of tactical objectives including execution, persistence, initial access, and more. RPC proxies may be used to collect and store RPC traffic. RPCs can occur over network sockets or named pipes.
Analytics look for unauthorized behavior such as:
- Processes being launched or scheduled remotely
- System configurations being changed remotely
- Unauthorized file read activity
Example RPC Protocols:
- DCE/RPC
- CORBA
- Open Network Computing Remote Procedure Call
- D-Bus
- XML-RPC
- JSON-RPC
- SOAP
- Apache Thrift
Considerations
- RPC is widely used in enterprise environments, and significant data filtering may be required in large environments to enable analytic processing.
- RPC traffic may occur over a pipe, or within a host over loopback interface, thus making network collection difficult.
References
The following references were used to develop the RPC Traffic Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)