Trend
Abusing remote procedure calls
Intrusions leveraging remote procedure calls (RPC) made waves in 2021, particularly PetitPotam and PrintNightmare.
Pairs With This Song
Threat sounds
Adversaries can abuse remote procedure calls (RPC) to escalate their privileges, as we saw in the PrintNightmare and PetitPotam attacks last summer.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Remote procedure calls (RPC) facilitate local and remote communication between client and server programs. Many Windows services leverage RPCs for communication, and many RPCs expose functions to end users. Depending on privilege levels and the security checks that are (or are not) performed when these functions are implemented, adversaries can abuse RPCs to perform many malicious actions.
We covered RPC abuse in depth on the Red Canary blog last year, but two methods of RPC abuse stood out in 2021: PetitPotam and PrintNightmare. Both emerged over the summer, and adversaries quickly adapted them from theoretical proofs of concept for privilege escalation into real-world intrusions. Both were reportedly leveraged in ransomware campaigns, underscoring the urgency behind these threats. We’ve done extensive testing to replicate these techniques and validate detective and preventive controls for them. What follows is a summary of these compromises and what you can do to defend your organization.
PetitPotam
First published as a proof of concept by researcher Gilles Lionel in July 2021, PetitPotam allows an adversary to hijack server authentication sessions and gain access to highly sensitive systems like Active Directory Certificate Services (AD CS). Microsoft published a security bulletin (CVE-2021-36942) in August that raised the barrier of entry for PetitPotam, requiring that adversaries first authenticate themselves with legitimate credentials to conduct the intrusion.
PetitPotam enables an adversary to force authentication of a machine by performing an NTLM relay-like intrusion against the Encrypting File System Remote Protocol (EFSRPC), which manages data encrypted by the Encrypting File System (EFS) on remote servers. PetitPotam was particularly troubling because the EFSRPC exposed functionality through a DLL (efslsaext.dll
) that enabled unauthenticated communication through the LSASS pipe via the EfsRpcOpenFileRaw method. Depending on the patch status, either an unauthenticated or an authenticated adversary can call the EfsRpcOpenFileRaw method, intercept the authentication response (NTLM relay) between the client and a server, and use that to authenticate to another workstation. If they target a domain controller, an adversary could potentially compromise the entire domain by relaying that authentication to an AD CS server. James Forshaw’s detailed article from August is a great place to learn more.
PrintNightmare
In July 2021, researchers Zhiniang Peng and Xuefeng Li disclosed a Windows vulnerability called “PrintNightmare” (CVE 2021-34527) that enabled adversaries to perform remote code execution and privilege escalation in two different ways. The objective of each is to connect to a remote host without authentication and cause it to load a malicious DLL. One method abuses the driver installation feature of the Print System Remote Protocol (MS-RPRN) protocol, while the other abuses a similar driver installation feature of a different protocol, the Print System Asynchronous Remote Protocol (MS-PAR) protocol. In both cases, an inbound connection is accepted by the print spooler service (running as SYSTEM), which allows the creation of a separate process also running as SYSTEM. Once an adversary gains SYSTEM level privileges, they effectively have full control over that host.
Take action
PetitPotam
Security teams seeking to observe and detect PetitPotam intrusions have multiple options. We’ll describe relevant telemetry that can be gathered from EDR tools and native operating system logs.
Start by monitoring the Window Security Event 4624 log for anonymous and other suspicious logins. Many EDR products collect named pipe data, so you can also monitor for lsarpc
or efsrpc
named pipe connections to domain controllers. This will show when an unauthenticated user is trying to communicate with the domain controller over those transport protocols.
Microsoft has published extensive mitigation guidance describing many controls that administrators can implement to prevent NTLM intrusions in general—some of them more than a decade old—and many of these protections apply to PetitPotam. If it’s feasible in your environment, the following can help to mitigate PetitPotam intrusions:
- Update domain controllers and workstations to patch machines against CVE-2021-36942.
- Disable or set EFS Service startup type to disabled if service is not being used.
- Enable SMB signing to prevent relay intrusions.
- Apply an RPC filter to only allow authenticated connection to the EFS service over Kerberos.
PrintNightmare
The following data sources, largely available via commercial EDR tools, can help you identify PrintNightmare-related behavior:
- Monitor files for the the creation of suspicious DLLs in the following file path:
C:\Windows\System32\spool\drivers\(x64/W32X86)\*\.dll
- Monitor module loads to identify when DLLs (especially unsigned ones) are loaded from the following file path:
C:\Windows\System32\spool\drivers\(x64/W32X86)\*\.dll
- Monitor suspicious registry modifications that involve DLLs getting added to the following:
HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-*\*.dll
(for x64 systems) orHKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\*.dll
(for x86 systems) - Monitor processes spawning from
spoolsv.exe
. It is unusual forspoolsv.exe
to spawn child processes under legitimate conditions.
In addition to the above detection opportunities, implement the following controls:
- Update servers and workstations to newest Microsoft releases to patch CVE 2021-34527 and other vulnerabilities.
- Turn off the spooler service if it is not being used legitimately.
- Disable Point and Print in the registry:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f