Full Report
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you to call functions, over the network in a remote process. I wanted to better understand how RPC worked, and decided to build my own RPC interface to help with that. As a result, I wrote an RPC interface that will spawn a reverse shell given an IP address and a port. In this post I’ll show you how to do just that and what I learnt in a few sections:
Analysis Summary
# Tool/Technique: Custom RPC Interface for Reverse Shell
## Overview
This entry describes a custom-built Windows Remote Procedure Call (RPC) interface designed for offensive purposes. The primary function of this interface is to spawn a reverse shell connection to a specified IP address and port upon remote invocation, allowing an attacker to achieve remote code execution or command and control (C2).
## Technical Details
- Type: Tool (Custom Implementation)
- Platform: Windows
- Capabilities: Establishing network communication via RPC, serializing/deserializing data, executing arbitrary code (reverse shell payload) on the target system.
- First Seen: August 2021 (Date of publication describing the tool)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**: Used to establish communication channels for further interaction.
- **T1071 - Application Layer Protocol**: Leveraging standard protocols for C2.
- **T1071.001 - Web Protocols**: While RPC is distinct, it uses application-layer protocols for function calls.
- **TA0002 - Execution**: Used to trigger the reverse shell payload.
- **T1219 - Remote Access Software**: The resulting reverse shell provides remote persistent access.
## Functionality
### Core Capabilities
- **Custom RPC Server Implementation**: Defining and creating a custom RPC interface allowing remote function calls.
- **Reverse Shell Execution**: Upon receiving a valid RPC call containing the attacker's IP and port, the interface executes logic to spawn a reverse shell back to the attacker.
- **Network Abstraction**: Leverages the Windows RPC runtime library (`rpcrt4.dll`) to handle network input/output and TCP stack complexities.
### Advanced Features
- **Endpoint Mapping Interaction**: The interface must register itself with the RPC Endpoint Mapper service, typically listening on TCP port 135, using a unique UUID.
- **Protocol Flexibility**: The interface can be configured to use various transport protocols, including `ncacn_ip_tcp` (TCP) or potentially `ncacn_np` (Named Pipes) for obfuscation.
- **Persistence via Service Replacement**: The technique involves replacing a legitimate service's provider DLL with the backdoored RPC server, rebooting the system to load the malicious interface, granting persistence and potentially bypassing weak ACL checks.
## Indicators of Compromise
- File Hashes: N/A (Custom code, specific hashes not provided)
- File Names: N/A (The tool is an RPC server implementation, often replacing existing service binaries)
- Registry Keys: N/A (Focus is on service registration via RPC mechanisms rather than standard registry modifications, though service configurations might be implicated)
- Network Indicators:
- **C2 Communication**: Outbound connection attempts establishing a reverse shell on a user-defined port (e.g., attacking\_ip:port).
- **Endpoint Mapper**: Initial connection attempts targeting TCP port 135 for interface enumeration if the attacker uses tools like `rpcdump.py` to map services.
- Behavioral Indicators:
- Anomalous service behavior or discovery of an unexpected interface UUID registered with the RPC Endpoint Mapper.
- Spawning of a shell process following a network request targeting the custom RPC interface.
## Associated Threat Actors
- N/A (This specific implementation is presented as a proof-of-concept/educational exercise by SensePost, but the technique of weaponizing existing IPC mechanisms like RPC is highly valuable to sophisticated threat actors.)
## Detection Methods
- **Signature-based detection**: Signatures could be developed targeting the unique UUID assigned to the custom RPC interface, if known.
- **Behavioral detection**: Monitoring the RPC Endpoint Mapper (Port 135) for unusual interface registrations. Detecting the subsequent abnormal process creation (shell) immediately following RPC activity on an unusual interface. Detecting attempts to overwrite DLLs associated with legitimate Windows services.
- **YARA rules**: Potentially applicable to the compiled binary if unique code segments or strings are identifiable.
## Mitigation Strategies
- **Service Hardening**: Implement strict Access Control Lists (ACLs) on critical service binaries and configuration files to prevent modification by unauthorized users.
- **Principle of Least Privilege**: Ensure service accounts and regular user accounts do not have write permissions on executable and DLL paths required by system services.
- **Monitoring IPC Mechanisms**: Actively monitor the RPC Endpoint Mapper (via tools like RPCView or custom tooling) for unrecognized or newly registered UUIDs that do not correspond to known legitimate Windows services.
- **Network Segmentation**: Restricting direct access to core system services (like those communicating on port 135) where possible.
## Related Tools/Techniques
- **Impacket Library**: Tools like `rpcdump.py` are used to enumerate active RPC interfaces on a target system.
- **Named Pipes**: The article suggests switching to Named Pipes (`ncacn_np`) as an alternative transport mechanism to hide the TCP listener, indicating related IPC exploitation techniques.
- **Windows IPC Exploitation**: Broader category covering exploitation of mechanisms like MSRPC, SMB, or named pipes for initial access or lateral movement.