Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An unusual Remote Procedure Call (RPC) was made to potentially cause authentication coercion.
Attacker's Goals
- An attacker can abuse Remote Procedure Calls to coerce an authentication from servers.
Investigative actions
- Check for a suspicious process on the initiator.
- Check if the source host is a vulnerability scanner.
- Check for unusual connections from {actor_remote_ip} to other servers in the network.
- Check for logged-in users to {actor_remote_ip} and investigate their actions.
- Check for indicators of compromise on {actor_remote_ip}.
Variations
Possible authentication coercion from unconstrained delegation server to a sensitive serverPossible authentication coercion to a sensitive server