(dcerpc2) Connection-oriented DCE/RPC – Invalid major version
The rule is triggered when an attempt is made to establish a DCE/RPC connection, but the protocol version specified in the traffic is invalid or not recognized. In this case, the major version is not a valid version for the DCE/RPC protocol. This rule can be used to detect potential attacks or misconfigurations where an attacker is trying to exploit vulnerabilities or conduct unauthorized actions by sending malformed or malicious DCE/RPC traffic with an invalid major version. When this rule is triggered, it indicates that there might be a security issue or a misconfiguration in the network, and further investigation is needed to understand the nature of the traffic and take appropriate actions to mitigate any potential risks.
ID Number
9000019
Signature
-
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
If this alert is triggered many times as a false positive, it can be disabled.
From Radiflow experience, it can be also triggered in cases the packets of RPC protocol reached ISID in the wrong order or fragmented.
If there is any suspision, also it's recommended to run an antimalware scan on the destination asset.