dcerpc_brute_internal_external
Explanation
This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC) Endpoint Mapper service. DCE/RPC allows software developers to write code that executes on remote hosts without writing underlying network protocols. Unexpected DCE/RPC activity can indicate a lateral movement attack, which generally requires administrator credentials valid on the remote host. This event specifically looks for activity emanating from your network toward SMB servers on the Internet.
What to Look For
Brute force attacks launched from your network may be an indication that your network is compromised. Investigate hosts that are the source of this sort of activity in order to make sure that it is authorized and expected, and the hosts have not been compromised.
Related MITRE ATT&CK Categories
Updated 20 days ago