Check out our RPC Firewall blog post to gain better understanding of RPC, RPC attacks and the solution: the RPC Firewall.
For any questions, issues, or simlpy to shout out – we would love to hear from you! Contact us at [email protected]
RPC is the underlying mechanism which is used for numerous lateral movement techniques, reconnaisense, relay attacks, or simply to exploit vulnerable RPC services.
DCSync attack? over RPC. Remote DCOM? over RPC. WMIC? over RPC. SharpHound? over RPC. PetitPotam? over RPC. PsExec? over RPC. ZeroLogon? over RPC… well, you get the idea 🙂
Install the RPC Firewall and configure it to audit all remote RPC calls.
Once executing any remote attack tools, you will see which RPC UUIDs and Opnums were called remotely.
Remote RPC Attacks Detection
When the RPC Firewall is configured to audit, it write events to the Windows Event Log.
Forward this log to your SIEM, and use it to create baselines of remote RPC traffic for your servers.
Once an abnormal RPC call is audited, use it to trigger an alert for your SOC team.
Remote RPC Attacks Protection
The RPC Firewall can be configured to block & audit only potentially malicious RPC calls. All other RPC calls are not audited to reduce noise and improve performance.
Once a potentially malicious RPC call is detected, it is blocked and audited. This could be used to alert your SOC team, while keeping your servers protected.
It is made up from 3 components:
- RpcFwManager.exe – In charge of managing the RPC Firewall.
- RpcFirewall.dll – Injected DLL which performs the audit & filtering of RPC calls.
- RpcMessages.dll – A common library for sharing functions, and logic that writes data into Windows Event Viewer.
Installing / Uninstalling
Installation simply drops the RPC Firewall DLLs into the %SystemRoot%\System32, and configures the RPCFWP application log for the Event Viewer.
Uninstalling does the opposite.
The RpcFwManager tried to inject the rpcFirewall.dll only to processes which have the RPCRT4.DLL loaded into them.
Once the rpcFirewall.dll is loaded, it verifies that the host process has a valid RPC interface, and is listening for remote connections.
Otherwise, the rpcFirewall.dll unloaded itself from the target process.
If the process is a valid RPC server, the rpcFirewall starts to audit & monitor incoming RPC calls, according to the configuration file.
To protect a single process by pid:
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="RpcFwManager.exe /pid “>
RpcFwManager.exe /pid <pid>