PowerShell Script – Invoke-RPCMap

Posted on by

Invoke-RPCMap

Invoke-RPCMap can be used to enumerate local and remote RPC services/ports via the RPC Endpoint Mapper service.

This information can useful during an investigation where a connection to a remote port is known, but the service is running under a generic process like svchost.exe.

This script will do the following:

  • Create a local log file
  • Connect to the RPC Endpoint Mapper service and retreive a list of ports/uuids
  • Compare the returned uuids to the list in the script to identify the service name
  • Print the results
  • Map the next host if multiple hosts are provided
  • Open the log file (optional)

You can find the script on my Github here:
https://github.com/robwillisinfo/Invoke-RPCMap

The core of this script was sourced from the following script: https://devblogs.microsoft.com/scripting/testing-rpc-ports-with-powershell-and-yes-its-as-much-fun-as-it-sounds/

Examples

Basic usage (will scan local host):

C:\PS> PowerShell.exe -ExecutionPolicy Bypass .\Invoke-RPCMap.ps1

Add -targetHosts or -t (alias) to scan multiple hosts:

C:\PS> PowerShell.exe -ExecutionPolicy Bypass .\Invoke-RPCMap.ps1 -t localhost,host1,192.168.1.50

C:\PS> PowerShell.exe -ExecutionPolicy Bypass .\Invoke-RPCMap.ps1 -targetHosts localhost,host1,192.168.1.50

Add -openLog or -o (alias) to open the log file in notepad when the script has completed:

C:\PS> PowerShell.exe -ExecutionPolicy Bypass .\Invoke-RPCMap.ps1 -t localhost,host1,192.168.1.50 -o

C:\PS> PowerShell.exe -ExecutionPolicy Bypass .\Invoke-RPCMap.ps1 -t localhost,host1,192.168.1.50 -openLog

Comments are closed.