Lifting the Fog of War

Explore the intricacies of Microsoft's Remote Procedure Calls (MS-RPC) protocol and its impact on Windows security in this 46-minute conference talk from 44CON 2023. Delve into the protocol's integral role in Windows operations and its connection to various lateral movement techniques and exploits. Discover built-in defensive mechanisms, including the RPC ETW provider and Windows firewall RPC filters, that can be leveraged to mitigate RPC-based threats. Learn about a new tool designed to simplify interaction with the RPC ETW provider, enrich event data, and enhance visualization. Examine the challenges of monitoring RPC traffic and strategies to overcome inherent shortcomings in the ETW provider. Gain insights into utilizing Windows features for tracking and defending against RPC-based attacks, and explore the effectiveness of these methods in analyzing RPC data and detecting malicious traffic. Acquire knowledge about signatures developed to detect common lateral movement techniques and one-day exploits. Presented by Stiv Kupchik, a senior security researcher at Akamai with expertise in OS internals, vulnerability research, and malware analysis.

Stiv Kupchik - Lifting the Fog of War