Server Interaction

Create a client and connect to an RPC endpoint with NtObjectManager:

$rpc = get-rpcserver C:\Windows\System32\spoolsv.exe
$client = get-rpcclient $rpc[0]
$client | get-member -MemberType Method
connect-rpcclient -Client $client //can additionally specify an endpoint, by default it will ask  the endpoint mapper
//if successful $client should now show Connected: True
//can now call exposed methods (found via get-member), such as disconnect
$client.disconnect()

Remote Host

connect-rpcclient -client $client -ProtocolSequence  ncacn_ip_tcp -NetworkAddress 192.168.1.112
LogoGitHub - googleprojectzero/sandbox-attacksurface-analysis-tools: Set of tools to analyze Windows sandboxes for exposed attack surface.GitHub
NtObjectManager
LogoCalling Local Windows RPC Servers from .NET
LogoCreating and Starting a Windows Service Remotely Using NtObjectManager Via Remote Procedure Calls (RPC) Over SMBOpen Threat Research Blog
PreviousRPC EndpointsNextRPC Procedure Enumeration

Last updated

Was this helpful?