Protocol network icon

Microsoft Remote Procedure Call (MSRPC) Protocol

What is MSRPC (Microsoft Remote Procedure Call)?

Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol that uses the client-server model that enables one program to request a service from a program on another computer, without having to understand the details of that computer's network. MSRPC was originally derived from open source software but has been developed further and copyrighted by Microsoft.

How Does MSRPC Work?

The goal of MSRPC is to simplify interprocess communication between clients and servers, enabling a client to call a service on a remote server with a standard interface (rather than with a custom protocol). Each interface has several operations or opnums (also known as methods). Client and server stubs—small programs that substitute for larger code implementations—have the ability to run a process that corresponds with the interface and operation in the function call.

To make a function call, the client sends an MSRPC request with an interface and operation to a remote server. MSRPC requests are tunneled through network protocols such as SMB/CIFS, HTTP, or TCP. Essentially, MSRPC is the transport mechanism and the interface and operation within the MSRPC request provides the functionality on the remote server.

Security Concerns

MSRPC interfaces can be abused by attackers to collect valuable information or compromise servers. Many Windows administration tools, such as PsExec and PowerShell, depend on MSRPC. Attackers can perform Active Directory reconnaissance (to identify domain administrator accounts on the network) by directly requesting information from Windows workstations or domain controllers with MSRPC. An attacker with elevated privileges and access to these tools can leverage MSRPC to send malicious commands to remote servers. After compromising those servers, the attacker can pivot, or laterally move, to new targets on the network.