zeronetworks / rpcfirewall Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
I saw you answer:
#4 (comment)
But when I am trying to trace the RPC requests from dockerd.exe
after removing the PPL using Mimikatz, it still doesn't work.
Although I doesn't a PPL process as far as I know.
Any idea?
Unclear that how configure it to **audit** all remote RPC calls
How can I enable audit only to all RPC calls?
Hi team,
I am testing out RPC Firewall wondering How do I test out the attacks and prevention capabilities on Active Directory?
TIA
Blason R
While experimenting, I came across an issue where several RPC calls that are triggered by remote usage of psexec are not logged.
I am using the following bare minimum configuration (the .txt at the end was added in order to upload this):
RpcFw.conf.txt
When running psexec, the only event that is logged is the map request on the endpoint mapper interface:
RPCFWP.evtx.txt
A packet capture clearly shows that more RPC calls were performed:
remote_psexec.pcap.txt
I have also tried using no configuration file, but the calls in question are still not logged.
NOTE: Public Repos are disabled for this organization! Repository was automatically converted to a Private Repo. Please contact an admin to override.
/cc @talshmuli
Hi,
your documentation was mentioning this template for AuditAll.
But it doesn't seem to exist any more
Kind regards
createSecurityAttributes
allocates a buffer with LocalAlloc
but this memory is never freed after the security descriptor is used in object creation, resulting in a leak.
BOOL createSecurityAttributes(SECURITY_ATTRIBUTES * psa)
{
PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION) != 0)
...
HANDLE createGlobalEvent(BOOL manualReset,BOOL initialState, TCHAR* eventName)
{
HANDLE gEvent = NULL;
SECURITY_ATTRIBUTES sa = { 0 };
//TODO: return value instead of passing as ref
! if (createSecurityAttributes(&sa)) // <------ need to free the security descriptor
{
...
HANDLE mapNamedMemory()
{
HANDLE hMapFile = NULL;
SECURITY_ATTRIBUTES sa = { 0 };
! if (createSecurityAttributes(&sa)) // <------ need to free the security descriptor
See:
rpcfirewall/rpcFwManager/RPCMgr.cpp
Line 188 in cf6a6dc
rpcfirewall/rpcFwManager/RPCMgr.cpp
Line 215 in cf6a6dc
Hello.
I have setup a lab environment with a Windows 2008 R2 server vulnerable to zero logon attack. I have another PC that runs Ping Castle to check for zero logon vulnerability. It finds the venerability successfully.
I installed to Windows 2008 the rpcfirewall and protect all the processes with action block.
I run again from the PC the ping castle software and still finds the DC vulnerable to this attack.
In Windows server 2008 the rpcfw events are not storing anything nor your software protects from this attack.
Can you verify please?
Hi,
I have an RPC server that uses NdrClientCall3
.
Does NdrClientCall3
is being hooked?
I saw that you implemented it here:
rpcfirewall/rpcFwManager/rpcHooks.cpp
Line 159 in 556b191
But I don't see it in the DLL:
rpcfirewall/rpcFirewall/dllmain.cpp
Lines 125 to 141 in 556b191
When I am trying to audit a process called vmcompute.exe
:
rpcFwManager.exe /process vmcompute.exe
It fails with the following message:
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume4\Windows\System32\rpcFireWall.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume4\Windows\System32\vmcompute.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
Here is a print screen of what I tried to do:
Operation system: Windows Server 2019 1809 (OS Build 17763.2114).
Is it possible to add a filtering based on the IP and on the username ?
For example block all RPC call made by domain admin (prefix da_
) if sourceip is not 10.10.10.1
(admin castle)
fw:uuid:* action:block audit:true not_saddr:10.10.10.1 username:da_john.doe
fw:uuid:* action:block audit:true not_saddr:10.10.10.1 username_pattern:da_*
The blog post you link in your readme seems to be moved somewhere else and returns a 404 Not Found
Hello, I wonder if anyone has discovered a way of blocking WMI (interface IWbemServices, UUID 36cfd3bf-c08c-43bf-b8ff-3eb594f583ff) over ncacn_np
, while keeping ncacn_ip_tcp
functional. It would IMO block impacket-wmiexec
, without affecting the required Windows functionality, but I was not able to make it work with protocol-based rules, nor with port-based rules.
What I find even more problematic is impacket-dcomexec
, which uses DCOM over named pipes (ShellWindows, ShellBrowserWindow, or MMC20 objects). Again, I was not able to find a method to block this, without causing too many side-effects.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.