Explore the critical role of Remote Procedure Call (RPC) in Windows environments and its exploitation by ransomware and advanced attackers in this 37-minute Black Hat conference talk. Delve into the challenges of defending against remote RPC attacks and discover a potential solution with the RPC Firewall. Learn about DCE/RPC terminology, runtime libraries, and available resources and tools. Witness RPC attack demonstrations and understand why traditional blocking methods fall short. Examine the limitations of out-of-the-box events, incomplete RPC ETW, and the difficulties in RPC hunting. Get acquainted with RPCFirewall through a quick demo, and gain insights into its internals, event logs, debug messages, commands, and configuration. Explore the research cycle behind this solution and learn how to create deny lists to enhance your network's security against lateral movement attacks.
Burning Bridges - Stopping Lateral Movement via the RPC Firewall
Overview
Syllabus
Intro
whoareyou.exe?
Remote Procedure Call
DCE/RPC Terminology
Runtime Library
Resources and Tools
RPC attacks demo
RPC Can't Be Easily Blocked
Why a Talk on RPC?
No OOTB Events
RPC ETW Incomplete
RPC hunting is hard
If You Can't Detect, Can You Block ?
RPC Filters are buggy / lacking
Goals
RPCFirewall Quick Demo
RPCFW Internals
Event Logs
Debug Messages
Commands
Configuration
No Performance Penalty (audit:false)
Other Considerations
Research Cycle
Example: Creating Deny Lists
Taught by
Black Hat
