• Stars
    star
    290
  • Rank 142,981 (Top 3 %)
  • Language
  • License
    BSD 3-Clause "New...
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A repository that maps commonly used attacks using MSRPC protocols to ATT&CK

MSRPC-To-ATT&CK

A repository that maps commonly used MSRPC protocols to Mitre ATT&CK while providing context around potential indicators of activity, prevention opportunities, and related RPC information.

List of MSRPC Protcols:

MITRE ATT&CK Navigator:

Contents:

Each document will hold information about the following:

  • Protocol Name
  • Interface UUID
  • Server Binary (where the server code is stored, if it is loaded into another binary then the binary name image that loaded the server code.)
  • Endpoint (transport protocol - ncacn_np and/or ncacn_ip_tcp)
  • ATT&CK Relation
  • Indicator of Activity (IOA)
  • Prevention Opportunities
    • Default RPC Filters will show that the remote_user_token that is allowed to communicate over the interface are Domain Admins (DA). This isn't the best route to go however; create a group specific to the action you want to take and apply that SID to the DACL within the SDDL string. This comes from a conversation that was had with Andrew Robbins. He suggests restricting domain admins interactive logons on DCs.
    • Great resource for understanding RPC Filters: https://www.tiraniddo.dev/2021/08/how-windows-firewall-rpc-filter-works.html
    • Filters were tested in a lab, not in a production environment. They may require tuning. Proceed with caution.
  • Notes
  • Useful Resources

Recognition:

Thank you to the following for giving feedback:

  • James Forshaw
  • Olaf Hartong
  • Red Canary's Detection Enablement Team