The dark side of Microsoft Remote Procedure Call protocols

What is MSRPC?

  • What binary was used to execute this method?
  • What if an environment doesn’t have great network telemetry?
  • How do defenders know how to relate activity back to the originating MSRPC protocol?

MSRPC to ATT&CK

Protocol name

Interface UUID

Server binary

Endpoint

ATT&CK relation

Indicators of activity (IOA)

Prevention opportunities

Notes

Useful resources

How can I use this?

  • Increase visibility into this overlooked data source. Right now, there aren’t great RPC-explicit optics outside of network sensors. If an analyst runs across a binary communicating with many pipes that correlate to MSRPC protocols that expose methods allowing for enumeration, this project will help them confirm that someone is leveraging X protocol to achieve Y action.
  • Educate users about specific protocols. MSRPC to ATT&CK can be used like an encyclopedia, with comprehensive context about specific protocols and links to other relevant resources.
  • Compile all preventative measures in one place. Preventive measures are shared across Microsoft’s documentation, Twitter, and other miscellaneous tooling people have released. I wanted to collect all of that information and highlight specifics for the protocol of interest. If an organization decides not to take any of the preventive measures I mention, defenders may still gain insight into future detection opportunities.

Sr. Threat Researcher @ RedCanary

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Zombie Slayer Hack Free Resources Generator

{UPDATE} The Emoji World Hack Free Resources Generator

{UPDATE} Klondike Solitaire Blast Hack Free Resources Generator

How to Spy on Others WhatsApp Messages?

Anytime Fitness hacked! RFID/NFC tag duplicator vs. Access Control Systems

{UPDATE} Warhammer Quest 2 Hack Free Resources Generator

Protect your cryptos like Voldemort: Using Horcruxes

{UPDATE} Spellweaver Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Johnson

Jonathan Johnson

Sr. Threat Researcher @ RedCanary

More from Medium

The Deduce 2022 Fraud Forecast

Analysis of VBS ;

Data Privacy Day: Accellion Fined 💸 Red Cross Breached 🚑 & Ransomware in Indonesia🏴‍☠️

Are we ready for a virtual designated driver? A look into the big and small players involved.