Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
NDR Lateral Movement Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
The endpoint performed abnormal RPC activity via Service Control Manager interface to a remote host.
Attacker's Goals
- Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using services.
- The service control manager RPC interface is used to create and start services on a local or a remote host.
Investigative actions
- Review the action of services.exe on the remote host where possible.
- Correlate the RPC call from the source host and understand which software initiated it.
- Verify that this isn't IT activity.
Variations
Rare remote service creation and initiation via Remote Service (SVCCTL) RPC interfaceRare remote service change or creation via Remote Service (SVCCTL) RPC interface
Rare Remote Service (SVCCTL) RPC activity