zeronetworks / rpcfirewall Goto Github PK

While experimenting, I came across an issue where several RPC calls that are triggered by remote usage of psexec are not logged.
I am using the following bare minimum configuration (the .txt at the end was added in order to upload this):
RpcFw.conf.txt

When running psexec, the only event that is logged is the map request on the endpoint mapper interface:
RPCFWP.evtx.txt

A packet capture clearly shows that more RPC calls were performed:
remote_psexec.pcap.txt

I have also tried using no configuration file, but the calls in question are still not logged.

I saw you answer:
#4 (comment)

But when I am trying to trace the RPC requests from dockerd.exe after removing the PPL using Mimikatz, it still doesn't work.
Although I doesn't a PPL process as far as I know.
Any idea?

Hello.

I have setup a lab environment with a Windows 2008 R2 server vulnerable to zero logon attack. I have another PC that runs Ping Castle to check for zero logon vulnerability. It finds the venerability successfully.

I installed to Windows 2008 the rpcfirewall and protect all the processes with action block.

I run again from the PC the ping castle software and still finds the DC vulnerable to this attack.

In Windows server 2008 the rpcfw events are not storing anything nor your software protects from this attack.

Can you verify please?

Hi team,

I am testing out RPC Firewall wondering How do I test out the attacks and prevention capabilities on Active Directory?

TIA
Blason R

Hello, I wonder if anyone has discovered a way of blocking WMI (interface IWbemServices, UUID 36cfd3bf-c08c-43bf-b8ff-3eb594f583ff) over ncacn_np, while keeping ncacn_ip_tcp functional. It would IMO block impacket-wmiexec, without affecting the required Windows functionality, but I was not able to make it work with protocol-based rules, nor with port-based rules.
What I find even more problematic is impacket-dcomexec, which uses DCOM over named pipes (ShellWindows, ShellBrowserWindow, or MMC20 objects). Again, I was not able to find a method to block this, without causing too many side-effects.

Hello,

I tried installing rpcfirewall on my machine, just to see.
But does not seem to be working.

Is rpcfirewall supposed to be working on win7 x64 sp1 Enterprise French ?

Best regards

Is it possible to add a filtering based on the IP and on the username ?
For example block all RPC call made by domain admin (prefix da_) if sourceip is not 10.10.10.1 (admin castle)

fw:uuid:* action:block audit:true not_saddr:10.10.10.1 username:da_john.doe
fw:uuid:* action:block audit:true not_saddr:10.10.10.1 username_pattern:da_*

The blog post you link in your readme seems to be moved somewhere else and returns a 404 Not Found

Unclear that how configure it to **audit** all remote RPC calls
How can I enable audit only to all RPC calls?

NOTE: Public Repos are disabled for this organization! Repository was automatically converted to a Private Repo. Please contact an admin to override.

/cc @talshmuli

Hi,

your documentation was mentioning this template for AuditAll.

But it doesn't seem to exist any more

Kind regards

Hi,

I have an RPC server that uses NdrClientCall3.
Does NdrClientCall3 is being hooked?
I saw that you implemented it here:

But I don't see it in the DLL:

When I am trying to audit a process called vmcompute.exe:

rpcFwManager.exe /process vmcompute.exe

It fails with the following message:

* This break indicates this binary is not signed correctly: \Device\HarddiskVolume4\Windows\System32\rpcFireWall.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume4\Windows\System32\vmcompute.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.

Here is a print screen of what I tried to do:

Operation system: Windows Server 2019 1809 (OS Build 17763.2114).

Hello,

I stumbled on this issue by accident.
rpcFwManager.exe has a full control handle on LSASS, which can be abused to dump LSASS via a DeDup handle attack.

Maybe one should change this level of granted access to the bare minimum needed instead ?

createSecurityAttributes allocates a buffer with LocalAlloc but this memory is never freed after the security descriptor is used in object creation, resulting in a leak.

BOOL createSecurityAttributes(SECURITY_ATTRIBUTES * psa)
{
	PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);

	if (InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION) != 0)

...

HANDLE createGlobalEvent(BOOL manualReset,BOOL initialState, TCHAR* eventName)
{
	HANDLE gEvent = NULL;
	SECURITY_ATTRIBUTES sa = { 0 };
	
	//TODO: return value instead of passing as ref
!	if (createSecurityAttributes(&sa))    // <------ need to free the security descriptor
	{
...

HANDLE mapNamedMemory()
{
	HANDLE hMapFile = NULL;
	SECURITY_ATTRIBUTES sa = { 0 };

!	if (createSecurityAttributes(&sa))    // <------ need to free the security descriptor

See: