You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
would be fantastic if we can add RPC event tracking,
RPC can be used for many sensitive stuff, most notably service creation, scheduled task creation & WMI, while these can be detected through othe rmeans (such as service creation, scheduled task creation, and some kind of WMI logging, or through process creation events (parent services.exe, taskhostw.exe or wmiprvse.exe), there are more advanced DCOMExec & Invoke-DCOM methods that can't be easily detected WITHOUT RPC auditing.
these use 1.MMC20, 2. ShellBrowseWindows & ShellWindows, 3. Execl DDE & Excel XLRegister, 4. maybe many more others
while you can detect 1. parent is mmc.exe, for 2 & 3 it is almost impossible to reliably detect them without RPC event logging
windows native logs have RPC audit events 5712, but it is noisy and therefore not enabled by default, most NDR solutions monitor RPC but doesn't enrich all of them (unless you have MITRE BZAR or sth).
MDE (Microsoft Defender for Endpoint) has option to enable zeek.exe on all endpoints (in which case RPC over the network is logged, which is much less noisy than native event id 5712)
also, I believe Cybereason can have use-cases for specific RPC uuid.
I hope this summarizes it all, and i hope the cybersecurity community can help us to include this crucial information in our collective EDR telemetry KB which is this repo you made (thanks @tsale )
The text was updated successfully, but these errors were encountered:
Hi all!
Hope you are doing well!
would be fantastic if we can add RPC event tracking,
RPC can be used for many sensitive stuff, most notably service creation, scheduled task creation & WMI, while these can be detected through othe rmeans (such as service creation, scheduled task creation, and some kind of WMI logging, or through process creation events (parent services.exe, taskhostw.exe or wmiprvse.exe), there are more advanced DCOMExec & Invoke-DCOM methods that can't be easily detected WITHOUT RPC auditing.
these use 1.MMC20, 2. ShellBrowseWindows & ShellWindows, 3. Execl DDE & Excel XLRegister, 4. maybe many more others
while you can detect 1. parent is mmc.exe, for 2 & 3 it is almost impossible to reliably detect them without RPC event logging
windows native logs have RPC audit events 5712, but it is noisy and therefore not enabled by default, most NDR solutions monitor RPC but doesn't enrich all of them (unless you have MITRE BZAR or sth).
MDE (Microsoft Defender for Endpoint) has option to enable zeek.exe on all endpoints (in which case RPC over the network is logged, which is much less noisy than native event id 5712)
also, I believe Cybereason can have use-cases for specific RPC uuid.
I hope this summarizes it all, and i hope the cybersecurity community can help us to include this crucial information in our collective EDR telemetry KB which is this repo you made (thanks @tsale )
The text was updated successfully, but these errors were encountered: