Capture Credentials with Rpcping.exe

calendar Nov 10, 2025 · attack.credential-access attack.t1003  ·
Share on: linkedin copy

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Sigma rule (View on GitHub)

 1title: Capture Credentials with Rpcping.exe
 2id: 93671f99-04eb-4ab4-a161-70d446a84003
 3status: test
 4description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
 7    - https://twitter.com/vysecurity/status/974806438316072960
 8    - https://twitter.com/vysecurity/status/873181705024266241
 9    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
10author: Julia Fomina, oscd.community
11date: 2020-10-09
12modified: 2025-10-31
13tags:
14    - attack.credential-access
15    - attack.t1003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_main_img:
21        - Image|endswith: '\RpcPing.exe'
22        - OriginalFileName: '\RpcPing.exe'
23    selection_main_flag:
24        CommandLine|contains|windash: '-s'
25    selection_cli_ntlm:
26        CommandLine|contains|windash: '-u'
27        CommandLine|contains: 'NTLM'
28    selection_cli_ncacn:
29        CommandLine|contains|windash: '-t'
30        CommandLine|contains: 'ncacn_np'
31    condition: all of selection_main_* and 1 of selection_cli_*
32falsepositives:
33    - Unlikely
34level: medium

References

  • Rpcping on LOLBAS

    Rpcping.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Rpcping

    /t Specifies the protocol sequence to use. Can be one of the standard RPC protocol sequences, for example: ncacn_ip_tcp, ncacn_np, or ncacn_http. If not specified, default is ncacn_ip_tcp. /s Speci...


    Read More

Related rules

to-top