Remote Registry Lateral Movement via RPC Firewall

This threat brief focuses on detecting lateral movement attempts that leverage remote procedure calls (RPC) to modify registry keys on target systems. The technique abuses the remote registry protocol to achieve persistence or execute arbitrary code. Defenders can use RPC Firewall logs to identify and block this activity, specifically by monitoring for calls to the Registry Remote Protocol (MS-RRP) interface with specific operation numbers indicative of registry manipulation. This activity is often associated with post-exploitation phases, where attackers attempt to gain a foothold and expand their control within a network. The RPC Firewall detailed in this brief allows for monitoring and blocking of this behavior.

Attack Chain

1. The attacker gains initial access to a system within the network (e.g., through phishing or exploiting a vulnerability).
2. The attacker discovers accessible target systems on the network.
3. The attacker attempts to connect to the target system’s RPC endpoint for the Remote Registry service (UUID 338cd001-2244-31f1-aaaa-900038001003).
4. The attacker uses RPC calls with operation numbers 6, 7, 8, 13, 18, 19, 21, 22, 23, or 35 to interact with the registry remotely.
5. The attacker modifies registry keys related to startup programs or services.
6. The attacker triggers the execution of malicious code through the modified registry keys, achieving persistence.
7. The malicious code executes, allowing the attacker to perform actions such as data exfiltration or further lateral movement.

Impact

Successful exploitation allows attackers to achieve persistence, escalate privileges, and move laterally within the network. This can lead to data theft, system compromise, and disruption of services. If lateral movement succeeds, attackers can gain control over critical assets, leading to significant financial and reputational damage.

Recommendation

• Install and configure RPC Firewall on all critical systems, auditing RPC calls to the Registry Remote Protocol interface (UUID 338cd001-2244-31f1-aaaa-900038001003) as described in the definition within the logsource section.
• Deploy the provided Sigma rule to your SIEM to detect anomalous RPC calls related to registry modification as outlined in the detection section.
• Investigate and block any identified malicious RPC connections using RPC Firewall based on the logs generated and reviewed from the deployed Sigma rule.