Skip to content

Latest commit

 

History

History
64 lines (55 loc) · 4.96 KB

README.md

File metadata and controls

64 lines (55 loc) · 4.96 KB

MSRPC-To-ATT&CK

A repository that maps commonly used MSRPC protocols to Mitre ATT&CK while providing context around potential indicators of activity, prevention opportunities, and related RPC information.

List of MSRPC Protcols:

MITRE ATT&CK Navigator:

Contents:

Each document will hold information about the following:

  • Protocol Name
  • Interface UUID
  • Server Binary (where the server code is stored, if it is loaded into another binary then the binary name image that loaded the server code.)
  • Endpoint (transport protocol - ncacn_np and/or ncacn_ip_tcp)
  • ATT&CK Relation
  • Indicator of Activity (IOA)
  • Prevention Opportunities
    • Default RPC Filters will show that the remote_user_token that is allowed to communicate over the interface are Domain Admins (DA). This isn't the best route to go however; create a group specific to the action you want to take and apply that SID to the DACL within the SDDL string. This comes from a conversation that was had with Andrew Robbins. He suggests restricting domain admins interactive logons on DCs.
    • Great resource for understanding RPC Filters: https://www.tiraniddo.dev/2021/08/how-windows-firewall-rpc-filter-works.html
    • Filters were tested in a lab, not in a production environment. They may require tuning. Proceed with caution.
  • Notes
  • Useful Resources

Recognition:

Thank you to the following for giving feedback:

  • James Forshaw
  • Olaf Hartong
  • Red Canary's Detection Enablement Team