Windows Remote Procedure Call (Windows RPC) is a Windows feature that allows clients to call procedures located in programs running on remote servers.
The Windows RPC service consists of two components on the server:
- An endpoint mapper that can be queried for a list of available endpoints. The endpoint mapper usually runs on port 135.
- RPC endpoints that clients can bind to and call. These endpoints usually run on ports above 49000. Multiple endpoints can be exposed on a single port.
Configuring a Windows RPC endpoint mapper on a Canary
Canaries can run a Windows RPC endpoint mapper on port 135 that will alert when a client binds to it.
Follow these steps to enable the Windows RPC endpoint mapper on a Canary:
- Click on the Canary you want to configure.
- Click on Configure Canary to open its settings.
- Scroll down to the Windows RPC and enable the toggle.
- Click Deploy new configuration to deploy the settings to the Canary.
Configuring Windows RPC endpoints
Windows RPC endpoints is an experimental feature and could be noisy depending on your network setup.
After enabling the Windows RPC endpoint mapper by following the steps in the previous section, you can enable RPC endpoints by clicking the Windows RPC Endpoints toggle.
Once endpoints are enabled, your Canary's Windows RPC endpoint mapper will return a small set of endpoints in response to endpoint lookup requests. These endpoints listen on a single port and accept binds from clients.
Interacting with the Windows RPC service
The Windows RPC service on your Canary can be tested by running the rpcping command from a Windows host as shown below.
rpcping -s $CANARY_IP -t ncacn_ip_tcp -v 3Running the above command will trigger an incident on your Console.
Please feel free to reach out to us over here if you have any questions.