MSRPC-To-ATT&CK

A repository that maps commonly used MSRPC protocols to Mitre ATT&CK while providing context around potential indicators of activity, prevention opportunities, and related RPC information.

List of MSRPC Protcols:

• MS-SCMR: Service Control Manager Remote Protocol
  • MS-SCMR.md
• MS-DRSR: Directory Replication Service Remote Protocol
  • MS-DRSR.md
• MS-RRP: Windows Remote Registry Remote Protocol
  • MS-RRP.md
• MS-TSCH: Task Scheduler Service Remoting Protocol
  • MS-TSCH.md
• MS-WKST: Workstation Service Remote Protocol
  • MS-WKST.md
• MS-SRVS: Server Service Remote Protocol
  • MS-SRVS.md
• MS-RPRN: Print System Remote Protocol
  • MS-RPRN.md
• MS-PAR: Print System Asynchronous Remote Protocol
  • MS-PAR.md
• MS-SAMR: Security Account Manager Remote Protocol
  • MS-SAMR.md
• MS-LSAD: Local Security Authority (Domain Policy) Remote Protocol
  • MS-LSAD.md
• MS-LSAT: Local Security Authority (Translation Methods) Remote Protocol
  • MS-LSAT.md
• MS-EFSR: Encrypting File System Remote (EFSRPC) Protocol
  • MS-EFSR.md
• MS-NRPC: Netlogon Remote Protocol
  • MS-NRPC.md
• MS-FSRVP: File Server Remote VSS Protocol
  • MS-FSRVP.md
• MS-DFSNM: Distributed File System (DFS): Namespace Management Protocol
  • MS-DFSNM.md

MITRE ATT&CK Navigator:

• Mitre Navigator Link

Contents:

Each document will hold information about the following:

• Protocol Name
• Interface UUID
• Server Binary (where the server code is stored, if it is loaded into another binary then the binary name image that loaded the server code.)
• Endpoint (transport protocol - ncacn_np and/or ncacn_ip_tcp)
• ATT&CK Relation
• Indicator of Activity (IOA)
• Prevention Opportunities
  • Default RPC Filters will show that the remote_user_token that is allowed to communicate over the interface are Domain Admins (DA). This isn't the best route to go however; create a group specific to the action you want to take and apply that SID to the DACL within the SDDL string. This comes from a conversation that was had with Andrew Robbins. He suggests restricting domain admins interactive logons on DCs.
  • Great resource for understanding RPC Filters: https://www.tiraniddo.dev/2021/08/how-windows-firewall-rpc-filter-works.html
  • Filters were tested in a lab, not in a production environment. They may require tuning. Proceed with caution.
• Notes
• Useful Resources

Recognition:

Thank you to the following for giving feedback:

• James Forshaw
• Olaf Hartong
• Red Canary's Detection Enablement Team