Merge branch 'master' of https://github.com/zeronetworks/rpcfirewall

Configuration_templates/RpcFw.conf.AuditOnly

@@ -0,0 +1,49 @@
+fw:action:allow audit:true
+flt:uuid:338cd001-2244-31f1-aaaa-900038001003 action:allow audit:true
+flt:uuid:99fcfec4-5260-101b-bbcb-00aa0021347a action:allow audit:true
+flt:uuid:000001A0-0000-0000-C000-000000000046 action:allow audit:true
+flt:uuid:00000131-0000-0000-C000-000000000046 action:allow audit:true
+flt:uuid:00000143-0000-0000-C000-000000000046 action:allow audit:true
+flt:uuid:1FF70682-0A51-30E8-076D-740BE8CEE98B action:allow audit:true
+flt:uuid:378E52B0-C0A9-11CF-822D-00AA0051E40F action:allow audit:true
+flt:uuid:86D35949-83C9-4044-B424-DB363231FD0C action:allow audit:true
+flt:uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c action:allow audit:true
+flt:uuid:82273FDC-E32A-18C3-3F78-827929DC23EA action:allow audit:true
+flt:uuid:50abc2a4-574d-40b3-9d66-ee4fd5fba076 action:allow audit:true
+flt:uuid:76f03f96-cdfd-44fc-a22c-64950a001209 action:allow audit:true
+flt:uuid:12345678-1234-abcd-ef00-0123456789ab action:allow audit:true
+flt:uuid:0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 action:allow audit:true
+flt:uuid:ae33069b-a2a8-46ee-a235-ddfd339be281 action:allow audit:true
+flt:uuid:88143fd0-c28d-4b2b-8fef-8d882f6a9390 action:allow audit:true
+flt:uuid:5ca4a760-ebb1-11cf-8611-00a0245420ed action:allow audit:true
+flt:uuid:484809d6-4239-471b-b5bc-61df8c23ac48 action:allow audit:true
+flt:uuid:bde95fdf-eee0-45de-9e12-e5a61cd0d4fe action:allow audit:true
+flt:uuid:497d95a6-2d27-4bf5-9bbd-a6046957133c action:allow audit:true
+flt:uuid:367ABB81-9844-35F1-AD32-98F038001003 action:allow audit:true
+flt:uuid:8f09f000-b7ed-11ce-bbd2-00001a181cad action:allow audit:true
+flt:uuid:20610036-fa22-11cf-9823-00a0c911e5df action:allow audit:true
+flt:uuid:66a2db1b-d706-11d0-a37b-00c04fc9da04 action:allow audit:true
+flt:uuid:66a2db20-d706-11d0-a37b-00c04fc9da04 action:allow audit:true
+flt:uuid:66a2db21-d706-11d0-a37b-00c04fc9da04 action:allow audit:true
+flt:uuid:66a2db22-d706-11d0-a37b-00c04fc9da04 action:allow audit:true
+flt:uuid:67e08fc2-2984-4b62-b92e-fc1aae64bbbb action:allow audit:true
+flt:uuid:6139d8a4-e508-4ebb-bac7-d7f275145897 action:allow audit:true
+flt:uuid:5ff9bdf6-bd91-4d8b-a614-d6317acc8dd8 action:allow audit:true
+flt:uuid:df1941c5-fe89-4e79-bf10-463657acf44d action:allow audit:true
+flt:uuid:c681d488-d850-11d0-8c52-00c04fd90f7e action:allow audit:true
+flt:uuid:11899a43-2b68-4a76-92e3-a3d6ad8c26ce action:allow audit:true
+flt:uuid:53b46b02-c73b-4a3e-8dee-b16b80672fc0 action:allow audit:true
+flt:uuid:1257B580-CE2F-4109-82D6-A9459D0BF6BC action:allow audit:true
+flt:uuid:12345778-1234-abcd-ef00-0123456789ac action:allow audit:true
+flt:uuid:f5cc5a18-4264-101a-8c59-08002b2f8426 action:allow audit:true
+flt:uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 action:allow audit:true
+flt:uuid:6bffd098-a112-3610-9833-46c3f87e345a action:allow audit:true
+flt:uuid:f5cc59b4-4264-101a-8c59-08002b2f8426 action:allow audit:true
+flt:uuid:5b821720-f63b-11d0-aad2-00c04fc324db action:allow audit:true
+flt:uuid:6BFFD098-A112-3610-9833-46C3F874532D action:allow audit:true
+flt:uuid:4fc742e0-4a10-11cf-8273-00aa004ae673 action:allow audit:true
+flt:uuid:51b836e8-484d-4d03-b0fc-22e265cb3f7b action:allow audit:true
+flt:uuid:6bffd098-a112-3610-9833-012892020162 action:allow audit:true
+flt:uuid:e1af8308-5d1f-11c9-91a4-08002b14a0fa action:allow audit:true
+flt:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 action:allow audit:true
+flt:uuid:3919286a-b10c-11d0-9ba8-00c04fd92ef5 action:allow audit:true

Configuration_templates/RpcFw.conf.FirewallOnly

@@ -26,8 +26,10 @@ DCSync Protecion: <edit the DC addresses to match your environemt!!>:
 fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 addr:<dc_addr1> action:allow audit:true 
 fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 addr:<dc_addr2> action:allow audit:true 
 fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 opnum:0 action:allow audit:true 
-fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 opnum:1 action:allow audit:true 
+fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 opnum:1 action:allow audit:true
+fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 opnum:16 action:allow audit:true
 fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 opnum:12 action:allow audit:true 
+fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 opnum:19 action:allow audit:true 
 fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 action:block audit:true 
 
 Default block:

README.md

@@ -1,3 +1,6 @@
+[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/zeronetworks/rpcfirewall)](https://github.com/zeronetworks/rpcfirewall/releases/latest)
+![GitHub all releases](https://img.shields.io/github/downloads/zeronetworks/rpcfirewall/total)
+
 # I Need More Information
 Check out our [RPC Firewall](https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/) blog post or our [BlackHat talk](https://www.youtube.com/watch?v=hz_YPIMeBMI) to gain better understanding of RPC, RPC attacks and the solution: the RPC Firewall.
 For any questions, issues, or simlpy to shout out - we would love to hear from you! Contact us at [[email protected]](mailto:[email protected])
@@ -25,7 +28,7 @@ Throughout this document, we will use the following terms:
 Can be used to to **audit** all remote RPC calls. 
 Once executing any remote attack tools, you will see which RPC UUIDs and Opnums were called remotely.
 
-See an example configuration [here](./Configuration_templates/RpcFw.conf.AuditAll).
+See an example configuration [here](./Configuration_templates/RpcFw.conf.AuditOnly).
 
 ## Remote RPC Attacks Detection
 When the *RPCFW Configuration* is configured to audit, events are written to the Windows Event Log.