Kali Linux

RPC Firewall : Stopping Lateral Movement via the RPC Firewall

RPC Firewall is the underlying mechanism which is used for numerous lateral movement techniques, 
reconnaissances
relay attacks, or simply to exploit vulnerable RPC services.

DCSync attack? over RPC. Remote DCOM? over RPC. WMIC? over RPC. SharpHound? over RPC. PetitPotam? over RPC. PsExec? over RPC. ZeroLogon? over RPC… well, you get the idea 🙂

What is it used for?

Research

Install the RPC Firewall and configure it to audit all remote RPC calls. Once executing any remote attack tools, you will see which RPC UUIDs and Opnums were called remotely.

Remote RPC Attacks Detection

When the RPC Firewall is configured to audit, it write events to the Windows Event Log.

Forward this log to your SIEM, and use it to create baselines of remote RPC traffic for your servers.

Once an abnormal RPC call is audited, use it to trigger an alert for your SOC team.

Remote RPC Attacks Protection

The RPC Firewall can be configured to block & audit only potentially malicious RPC calls. All other RPC calls are not audited to reduce noise and improve performance.

Once a potentially malicious RPC call is detected, it is blocked and audited. This could be used to alert your SOC team, while keeping your servers protected.

What are the RPC Firewall Components?

It is made up from 3 components:

  • RpcFwManager.exe – In charge of managing the RPC Firewall.
  • RpcFirewall.dll – Injected DLL which performs the audit & filtering of RPC calls.
  • RpcMessages.dll – A common library for sharing functions, and logic that writes data into Windows Event Viewer.

How to use?

Installing / Uninstalling

Installation simply drops the RPC Firewall DLLs into the %SystemRoot%\System32, and configures the RPCFWP application log for the Event Viewer.

Make sure the event viewer is closed during install/uninstall.

RpcFwManager.exe /install

Uninstalling does the opposite.

RpcFwManager.exe /uninstall

Protecting Process(es)

The RpcFwManager tried to inject the rpcFirewall.dll only to processes which have the RPCRT4.DLL loaded into them.

Once the rpcFirewall.dll is loaded, it verifies that the host process has a valid RPC interface, and is listening for remote connections.

Otherwise, the rpcFirewall.dll unloaded itself from the target process.

If the process is a valid RPC server, the rpcFirewall starts to audit & monitor incoming RPC calls, according to the configuration file.

To protect a single process by pid:

RpcFwManager.exe /pid

To protect a single process by name:

RpcFwManager.exe /process

To protect all process, simply leave the or parametes blank.

RpcFwManager.exe /process
RpcFwManager.exe /pid

Unprotecting Processes

To disable the RPC Firewall, either uninstall it, or use the unprotect parameter:

RpcFwManager.exe /unprotect

This will unload the rpcFirewall.dll from all processes.

Persistency

RPC Firewall is not persistent on its own. One method of making sure that processes are continuesly protected is to create a scheduled task that executes a protection command. The following is a powershell command which does just that, just replace <RPCFW_PATH> with the path actual path to the RPC Firewall release folder.

Register-ScheduledTask -TaskName “RPCFW” -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 60)) -User “NT AUTHORITY\SYSTEM” -Action (New-ScheduledTaskAction -Execute “rpcFwManager.exe” -Argument “/pid” -WorkingDirectory “”)

Configuration

The rpcFwManager.exe looks for a RpcFw.conf file, in the same directory of the executable. This file uses the following configuration options:

  • uuid -> match a specific uuid
  • opnum -> match a RPC opnum
  • addr -> match a remote IP address
  • action -> can be either allow or block (default allow)
  • audit -> true or false, controls whether events are written to the RPCFWP log (default false)
  • verbose -> when true, outputs debug informaiton for specific RPC calls (default false)

The configuration order is important, as the first match determines the outcome of the RPC call.

For example, the following configuration will protect a DC from a DCSync attack by disabling the MS-DRSR UUID from non-domain machines. Also, notice that audit is enabled only for blocked MS-DRSR attempts, which could alert your SOC to a potential attack!

uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 addr: action:allow
uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 addr: action:allow
uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 action:block audit:true

Whenever the configuration changes, you need to notify the rpcFirewall.dll via the update command:

RpcFwManager.exe /update

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

9 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

9 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

2 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago