dcerpc_brute_external

Explanation

This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC) Endpoint Mapper service. DCE/RPC allows software developers to write code that executes on remote hosts without writing underlying network protocols. Unexpected DCE/RPC activity can indicate a lateral movement attack, which generally requires administrator credentials valid on the remote host. This event specifically looks for activity from the Internet toward Internet facing Windows servers on your network.

What to Look For

Under most circumstances DCE/RPC Endpoint Mapper service should not be directly exposed to the Internet. Ensure that strong passwords are in use to prevent successful attacks. Check network logs for additional information and review endpoint security to ensure that sensitive information is secure.

Related MITRE ATT&CK Categories

Brute Force, Technique T1110 - Enterprise

External Remote Services, Technique T1133 - Enterprise