Burning Bridges - Stopping Lateral Movement via the RPC Firewall

Conference:  BlackHat USA 2021



The presentation discusses the use of RPC filters and firewall to protect against DC sync attacks in Windows environments.
  • RPC filters and firewall can be used to protect against DC sync attacks in Windows environments
  • RPC filters and firewall work alongside each other as complementary tools
  • RPC firewall provides usable audits and filtering with native logging
  • RPC firewall can be used in production to block unwanted activity
  • A demo was presented to illustrate how RPC filters and firewall work
The presenter demonstrated how RPC filters and firewall can be used to protect against DC sync attacks by showing a demo of an RPC client and server. The demo showed how the RPC firewall can be applied to a server process and how it blocks messages sent by the client. The presenter also emphasized the importance of using both RPC filters and firewall as complementary tools to provide better protection against attacks.


In Windows based environments, RPC is the main underlying protocol required for remote administration and for Active Directory services. As such, it is often used by IT admins, but also by ransomware and advanced attackers to spread by creating remote services, scheduled tasks, DCOM objects, etc. It is also a major component in the persistency phase of attacks such as active directory DCSync, and even DC vulnerabilities such as Zerologon. The issue for defenders is that defending against remote RPC attacks is not trivial. Unlike other protocols, such as RDP or WinRM, which can be simply blocked from untrusted assets, RPC plays a crucial part in Active Directory environments, and has to be exposed to any asset in the network. To add to the pain, built-in Windows auditing and filtering options are incredibly noisy and don’t offer enough granularity. During our research into internal RPC mechanisms, we came up with a novel, yet practical approach that injects a “security layer” into the RPC runtime. This enables us to detect early reconnaissance efforts, block RPC based lateral movement, and create allow-lists per RPC service. This significantly reduces the RPC attack surface without hurting the underlying service and does not incur major performance penalties. Our tool, RPC Firewall, allows SOC teams to audit which remote hosts invoke RPC services over the network, this information is saved to Windows Event logs, which can later be injected to the SIEM. Additionally, SOC teams can utilize the RPC Firewall to create customized rules to block many forms of lateral movement. We’ve successfully proven that RPC Firewall can both detect and block known attacks, on top of which we also show how it can defend against novel undocumented RPC attacks which we uncovered. We pay particular attention to the use case of protecting Domain Controllers.