Full Report
Kaspersky expert dissects the MS-RPC security mechanism and provides a step-by-step analysis of calling a function from the Netlogon interface.
Analysis Summary
# Tool/Technique: No Authentication Domain Information Enumeration via MS-NRPC
## Overview
This summary describes techniques used to enumerate domain information (such as user lists) without providing any authentication credentials, primarily by exploiting the Microsoft Remote Procedure Call (RPC) interfaces, specifically the MS-NRPC interface, and analyzing the impact of Windows Group Policies designed to restrict unauthenticated access.
## Technical Details
- Type: Technique
- Platform: Windows
- Capabilities: Enumeration of domain information (users, etc.) using unauthenticated RPC calls. Exploits weaknesses in interface security descriptors and registration flags.
- First Seen: The article discusses reviving a long-standing concept (null session/no-auth enumeration), focusing on modern applicability.
## MITRE ATT&CK Mapping
- T1592 - Gather Victim Identity Information
- T1592.002 - Domain Accounts
- T1078 - Valid Accounts
- T1078.003 - Local Accounts (Though used without authentication, enumeration is related to victim identity)
- T1119 - Native API
- T1119.001 - Remote Procedure Call (RPC)
## Functionality
### Core Capabilities
- Enumerating domain information using MS-NRPC interface calls without providing authentication.
- Bypassing the `Restrict Unauthenticated RPC Clients` Group Policy setting when set to "Authenticated" by leveraging specific interface characteristics.
### Advanced Features
- Exploiting the `RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH` flag present on the MS-NRPC interface, which overrides general policy restrictions.
- Leveraging the interface's Security Descriptor (derived from its associated ALPC port) which permits access for anonymous users to pass the security check performed by the security callback.
- Demonstrating how setting the Group Policy to "Authenticated without exceptions" breaks critical domain functionality (like remote WMI access via DCOM) because it blocks necessary unauthenticated calls (e.g., `ServerAlive2` using `IObjectExporter`) required for DCOM object creation.
## Indicators of Compromise
- File Hashes: N/A (Focus is on network interaction and system configuration)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: RPC traffic directed at domain controllers over port 135 (or dynamic port mapping) attempting bindings to interfaces like MS-NRPC or network interfaces like IObjectExporter without supplying authentication data (Level 1 authentication).
- Behavioral Indicators: Excessive RPC interface binding attempts preceding enumeration queries, particularly if the RPC policy is configured strictly.
## Associated Threat Actors
- Not explicitly named in this excerpt, but the technique targets common weaknesses in default Windows domain configurations, relevant to reconnaissance phases of almost any sophisticated adversary.
## Detection Methods
- Signature-based detection: Monitoring for specific MS-NRPC function calls originating from unauthenticated network sessions.
- Behavioral detection: Identifying unusual sequences of RPC binding followed by function calls that harvest directory information immediately after the bind, especially when client credentials are not provided or invalid. Monitoring for failures in administrative tools (like remote WMI access) when the `Restrict Unauthenticated RPC Clients` policy is set to "Authenticated without exceptions."
- YARA rules: N/A (Focus is on protocol interaction, not static malware files)
## Mitigation Strategies
- Prevention measures: Understand the impact of the `Restrict Unauthenticated RPC Clients` Group Policy. Setting it to "Authenticated without exceptions" severely impacts domain services reliant on default DCOM/RPC initialization procedures.
- Hardening recommendations: Audit RPC interface registrations if possible. While default interfaces are hard to change, verifying the necessity of network accessibility to RPC endpoints is crucial.
## Related Tools/Techniques
- Null Session Enumeration (Older technique related to SMB/NetBIOS).
- Tools leveraging WMI exploitation or DCOM interaction for remote management (e.g., `wmic`, PowerShell remoting setup dependencies).
- **NtObjectManager:** Mentioned as a tool used for extracting Security Definition Language (SDDL) descriptors from ALPC ports to understand access control.