The dark side of Microsoft Remote Procedure Call protocols

What is MSRPC?

  • What binary was used to execute this method?
  • What if an environment doesn’t have great network telemetry?
  • How do defenders know how to relate activity back to the originating MSRPC protocol?


Protocol name

Interface UUID

Server binary


ATT&CK relation

Indicators of activity (IOA)

Prevention opportunities


Useful resources

How can I use this?

  • Increase visibility into this overlooked data source. Right now, there aren’t great RPC-explicit optics outside of network sensors. If an analyst runs across a binary communicating with many pipes that correlate to MSRPC protocols that expose methods allowing for enumeration, this project will help them confirm that someone is leveraging X protocol to achieve Y action.
  • Educate users about specific protocols. MSRPC to ATT&CK can be used like an encyclopedia, with comprehensive context about specific protocols and links to other relevant resources.
  • Compile all preventative measures in one place. Preventive measures are shared across Microsoft’s documentation, Twitter, and other miscellaneous tooling people have released. I wanted to collect all of that information and highlight specifics for the protocol of interest. If an organization decides not to take any of the preventive measures I mention, defenders may still gain insight into future detection opportunities.




Sr. Threat Researcher @ RedCanary

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Earn EQ Tokens On Staking Via xDOT

Unable to access internet from Linux Guest VM

{UPDATE} Hidden Object Summer Beach Vacation Spy Objects Hack Free Resources Generator

Emotet Malware

{UPDATE} Snowboard Champs Hack Free Resources Generator

What the EU’s General Data Protection Regulation Can Teach U.S. Businesses About Cybersecurity

Documentación Criptográfica Del Kernel Crypto Api

SANS Holiday Hack Challenge 2020: Objective 11b — Naughty/Nice List with Blockchain Investigation…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Johnson

Jonathan Johnson

Sr. Threat Researcher @ RedCanary

More from Medium

Harness the power of Hyper-Contextual Advertising

Ukraine Under Cyber Siege 🏰 Defense Giant Hensoldt Hacked 🛡️ & Gen Z Security Lesson 👧🏾👦

Navigating the Cyber Security Landscape: The Fight Against Ransomware in 2022

Part 2 — Reconcile rapid digital transformation with security and compliance