Burning Bridges - Stopping Lateral Movement via the RPC Firewall

Presented at Black Hat Europe 2021, Nov. 10, 2021, 10:20 a.m. (40 minutes)

In Windows based environments, RPC is the main underlying protocol required for remote administration and for Active Directory services. As such, it is often used by IT admins, but also by ransomware and advanced attackers to spread by creating remote services, scheduled tasks, DCOM objects, etc. It is also a major component in the persistency phase of attacks such as active directory DCSync, and even DC vulnerabilities such as Zerologon. <br><br>The issue for defenders is that defending against remote RPC attacks is not trivial. Unlike other protocols, such as RDP or WinRM, which can be simply blocked from untrusted assets, RPC plays a crucial part in Active Directory environments, and has to be exposed to any asset in the network. <br><br>To add to the pain, built-in Windows auditing and filtering options are incredibly noisy and don’t offer enough granularity. <br><br>During our research into internal RPC mechanisms, we came up with a novel, yet practical approach that injects a “security layer” into the RPC runtime. This enables us to detect early reconnaissance efforts, block RPC based lateral movement, and create allow-lists per RPC service. This significantly reduces the RPC attack surface without hurting the underlying service and does not incur major performance penalties. <br><br>Our tool, RPC Firewall, allows SOC teams to audit which remote hosts invoke RPC services over the network, this information is saved to Windows Event logs, which can later be injected to the SIEM. Additionally, SOC teams can utilize the RPC Firewall to create customized rules to block many forms of lateral movement. <br><br>We’ve successfully proven that RPC Firewall can both detect and block known attacks, on top of which we also show how it can defend against novel undocumented RPC attacks which we uncovered. We pay particular attention to the use case of protecting Domain Controllers. <br>

Presenters:

  • Sagie Dulce - Security Researcher, ZeroNetworks
    Sagie Dulce is a security researcher with over 10 years of experience in Cybersecurity. He has performed research in areas of deception, container security and applied security. Currently, Sagie is focused on practical methods to apply Zero Trust in complex environments.

Links:

Similar Presentations: