Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Remote procedure calls (RPC) facilitate local and remote communication between client and server programs. Many Windows services leverage RPCs for communication, and many RPCs expose functions to end users. Depending on privilege levels and the security checks that are (or are not) performed when these functions are implemented, adversaries can abuse RPCs to perform many malicious actions.
We covered RPC abuse in depth on the Red Canary blog last year, but two methods of RPC abuse stood out in 2021: PetitPotam and PrintNightmare. Both emerged over the summer, and adversaries quickly adapted them from theoretical proofs of concept for privilege escalation into real-world intrusions. Both were reportedly leveraged in ransomware campaigns, underscoring the urgency behind these threats. We’ve done extensive testing to replicate these techniques and validate detective and preventive controls for them. What follows is a summary of these compromises and what you can do to defend your organization.
First published as a proof of concept by researcher Gilles Lionel in July 2021, PetitPotam allows an adversary to hijack server authentication sessions and gain access to highly sensitive systems like Active Directory Certificate Services (AD CS). Microsoft published a security bulletin (CVE-2021-36942) in August that raised the barrier of entry for PetitPotam, requiring that adversaries first authenticate themselves with legitimate credentials to conduct the intrusion.
PetitPotam enables an adversary to force authentication of a machine by performing an NTLM relay-like intrusion against the Encrypting File System Remote Protocol (EFSRPC), which manages data encrypted by the Encrypting File System (EFS) on remote servers. PetitPotam was particularly troubling because the EFSRPC exposed functionality through a DLL (
efslsaext.dll) that enabled unauthenticated communication through the LSASS pipe via the EfsRpcOpenFileRaw method. Depending on the patch status, either an unauthenticated or an authenticated adversary can call the EfsRpcOpenFileRaw method, intercept the authentication response (NTLM relay) between the client and a server, and use that to authenticate to another workstation. If they target a domain controller, an adversary could potentially compromise the entire domain by relaying that authentication to an AD CS server. James Forshaw’s detailed article from August is a great place to learn more.
In July 2021, researchers Zhiniang Peng and Xuefeng Li disclosed a Windows vulnerability called “PrintNightmare” (CVE 2021-34527) that enabled adversaries to perform remote code execution and privilege escalation in two different ways. The objective of each is to connect to a remote host without authentication and cause it to load a malicious DLL. One method abuses the driver installation feature of the Print System Remote Protocol (MS-RPRN) protocol, while the other abuses a similar driver installation feature of a different protocol, the Print System Asynchronous Remote Protocol (MS-PAR) protocol. In both cases, an inbound connection is accepted by the print spooler service (running as SYSTEM), which allows the creation of a separate process also running as SYSTEM. Once an adversary gains SYSTEM level privileges, they effectively have full control over that host.