Full Report
Microsoft Remote Procedure Call (MSRPC) is a prevalent communication mechanism that provides an extensible framework for defining server/client interfaces. The author wrote a tool called RpcInvestigator for advanced discovery and analysis of RPC endpoints. The tool can automatically generate client code, sniff interactions for RPC and enumerate services. A pretty neat tool for Windows service auditing!
Analysis Summary
# Tool/Technique: RPC Investigator (RPCI)
## Overview
RPC Investigator is a .NET-based graphical security tool designed for the advanced discovery, decompilation, and analysis of Microsoft Remote Procedure Call (MSRPC) endpoints on Windows. Built upon the `NtApiDotNet` platform, it facilitates security auditing by allowing practitioners to explore the vast attack surface of Windows services, generate functional client code, and monitor RPC traffic in real-time via Event Tracing for Windows (ETW).
## Technical Details
- **Type:** Tool (Security Research & Auditing)
- **Platform:** Windows (Requires .NET Framework 4.8+, Windows SDK/Debugging Tools)
- **Capabilities:** Endpoint enumeration, RPC sniffing (ETW), C# client code generation, ALPC server discovery, and PE/Process parsing.
- **First Seen:** January 17, 2023 (Public Release by Trail of Bits)
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- **[T1018 - Remote System Discovery]**: Used to map RPC endpoints and services.
- **[T1614 - System Location Discovery]**: Identifying localized RPC/ALPC interfaces.
- **[TA0008 - Lateral Movement]**
- **[T1021.003 - Remote Services: Distributed RPC]**: Analyzing interfaces used for lateral movement.
- **[TA0011 - Command and Control]**
- **[T1571 - Non-Standard Port]**: Monitoring custom RPC ports and interfaces.
- **[TA0009 - Collection]**
- **[T1125 - Video Capture]** *(Indirect)*: While the tool doesn't capture video, it utilizes ETW for monitoring (T1562.006) which can be used to observe sensitive system interactions.
## Functionality
### Core Capabilities
- **Endpoint Enumeration:** Automatically discovers all active ALPC (Advanced Local Procedure Call) RPC servers.
- **Static & Dynamic Parsing:** Extracts RPC server definitions from Portable Executable (PE) files, running processes, and active Windows services.
- **Symbol Server Integration:** Resolves function names and structures using Windows Symbol Servers for clearer analysis of undocumented interfaces.
- **Library Management:** Organizes discovered servers into a searchable database to pivot through RPC procedures across the entire system.
### Advanced Features
- **Client Workbench:** A built-in C# code editor that generates boiler-plate client code for a selected RPC interface. It allows researchers to compile and execute RPC calls "on the fly" to test for vulnerabilities or unexpected behaviors.
- **RPC Sniffer:** Leverages ETW to provide a real-time monitor of RPC activity. It correlates call start/stop events and visualizes them in table or graph views.
- **Graph Visualization:** Represents relationships between requesting processes and RPC servers (e.g., LSASS, BFE) to visualize the flow of system inter-process communication.
## Indicators of Compromise
*Note: As this is a legitimate research tool, presence of the following indicates its use, but not necessarily malicious activity.*
- **File Names:** `RpcInvestigator.exe`
- **Behavioral Indicators:**
- High frequency of RPC endpoint mapping (EPMP) requests.
- Initiation of ETW sessions specifically targeting the `Microsoft-Windows-RPC` provider.
- Execution of dynamically compiled .NET assemblies (related to the Client Workbench).
## Associated Threat Actors
- **Security Researchers:** Primarily used by Trail of Bits and the wider vulnerability research community.
- **Potential Red Teams:** May be used for post-exploitation discovery or identifying vulnerable local services for privilege escalation.
## Detection Methods
- **Behavioral detection:** Monitor for unauthorized processes querying the RPC Endpoint Mapper (typically over port 135) or iterating through ALPC port objects.
- **ETW Monitoring:** Defenses can monitor for the creation of new ETW tracing sessions that target RPC providers, which might indicate a user is sniffing system communications.
## Mitigation Strategies
- **Least Privilege:** Ensure services run as low-privilege users where possible to reduce the impact of an exploited RPC interface.
- **Attack Surface Reduction:** Use Windows Defender Firewall to restrict access to the RPC Endpoint Mapper and specific MSRPC interfaces from the network.
- **Service Hardening:** Audit RPC interfaces to ensure they require authentication and use appropriate security descriptors (ACLs).
## Related Tools/Techniques
- **NtApiDotNet:** The underlying library by James Forshaw.
- **RpcView:** A similar GUI tool for RPC interface exploration.
- **Impacket:** Often used for interacting with MSRPC from non-Windows platforms.
- **ALPC (Advanced Local Procedure Call):** The high-speed message-passing mechanism used as the transport for local RPC.