Unusual Encrypting File System Remote call (EFSRPC) to domain controller

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-05-13

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
Severity	Low

Description

An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.

Attacker's Goals

An attacker can abuse the Encrypting File System Remote Protocol to coerce an authentication from a DC.
This authentication can later be used for obtaining a DC certificate for DCSync.

Investigative actions

Check for a suspicious process on the initiator.
Check if the source host is a vulnerability scanner.
Check for unusual connections from the server of the requested file location (it may be a relay server).
Look for unusual AD CS certificate requests.
Look for following suspicious connections using the DC machine account.
Check for possible DCSync alerts.

Variations

A suspicious Encrypting File System Remote call (EFSRPC) was made to a domain controller

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

An unusual Encrypting File System Remote call (EFSRPC) was made to a domain controller.

Attacker's Goals

An attacker can abuse the Encrypting File System Remote Protocol to coerce an authentication from a DC.
This authentication can later be used for obtaining a DC certificate for DCSync.

Investigative actions

Check for a suspicious process on the initiator.
Check if the source host is a vulnerability scanner.
Check for unusual connections from the server of the requested file location (it may be a relay server).
Look for unusual AD CS certificate requests.
Look for following suspicious connections using the DC machine account.
Check for possible DCSync alerts.

Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo for the first time

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller for the first time.

Attacker's Goals

An attacker can abuse the Encrypting File System Remote Protocol to coerce an authentication from a DC.
This authentication can later be used for obtaining a DC certificate for DCSync.

Investigative actions

Check for a suspicious process on the initiator.
Check if the source host is a vulnerability scanner.
Check for unusual connections from the server of the requested file location (it may be a relay server).
Look for unusual AD CS certificate requests.
Look for following suspicious connections using the DC machine account.
Check for possible DCSync alerts.

Abnormal Encrypting File System Remote call (EFSRPC) to domain controller using EfsRpcFileKeyInfo

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Informational

Description

An abnormal EfsRpcFileKeyInfo Encrypting File System Remote call (EFSRPC) was made to a domain controller.

Attacker's Goals

An attacker can abuse the Encrypting File System Remote Protocol to coerce an authentication from a DC.
This authentication can later be used for obtaining a DC certificate for DCSync.

Investigative actions

Check for a suspicious process on the initiator.
Check if the source host is a vulnerability scanner.
Check for unusual connections from the server of the requested file location (it may be a relay server).
Look for unusual AD CS certificate requests.
Look for following suspicious connections using the DC machine account.
Check for possible DCSync alerts.