We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Lifting the Fog of War - Monitoring, Identifying and Mitigating MS-RPC Based Threats
Monitoring and mitigating MS-RPC based threats through implementing RPC filters, detecting lateral movement attempts, and blocking attacks with the power of Windows protocol RPC.
- RPC (Remote Procedure Call) is a Windows protocol that allows programs to expose capabilities for other programs.
- The provider is responsible for exposing the capabilities, while the client is responsible for making requests for those capabilities.
- The RPC runtime is responsible for handling RPC requests and is implemented in RPC RT4 DLL.
- There are different types of RPC transports, including TCP and name pipes.
- RPC allows for communication between programs on different machines.
- Implementing RPC filters allows for monitoring and identifying MS-RPC based threats.
- RPC filters can be used to detect and block malicious traffic.
- The ADW (Event Tracing for Windows) provider is used to detect and handle RPC events.
- MS-RPC (Microsoft RPC) is a particular implementation of RPC and is the focus of this talk.
- RPC can be used to bypass security mechanisms or exploit vulnerabilities.
- Implementing RPC filters is important for network defense.
- RPC filters can be used to detect lateral movement attempts.
- Opnums (operation numbers) are used to identify RPC operations.
- RPC filters can be used to detect and block attacks such as pong and petit potem.
- RPC is relevant for ongoing attacks and current attacks.
- RPC filters can be used to reduce the rate of false positives in normal network environments.