Skip to content

Microsoft Windows Machine Account NTLM Coercion via Authenticated LSARPC Spoofing

Block remote EFSRPC functionality with RPC Filters


If Microsoft Encrypted File System Remote Protocol (MS-EFSRPC) is not required, administrators should block the remote EFSRPC functionality on the vulnerable host using RPC filters.

  1. Create a text file with the following content:
    rpc
    filter
    add rule layer=um actiontype=block
    add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
    add filteradd rule layer=um actiontype=block
    add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
    add filterquit
    
  2. Use the netsh command line utility to import the RPC filter from an elevated administrator prompt: netsh -f <FILTER_FILE_NAME>
  3. To confirm the filters are in place, you can view the current RPC filters using the following command: netsh rpc filter show filter

See CERT Coordination Center Vulnerability Note:#405600 for additional details.