The BZAR project uses the Bro/Zeek Network Security Monitor to detect ATT&CK-based adversarial activity.
MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups.
BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, raise notices, and write to the Notice Log.
BZAR is a component of the Cyber Analytics Repository. It was originally located within that library, but due to requirements for Zeek packages it was moved to its own repository. It's still managed as a component of CAR.
BZAR must be tuned for your specific operational envrionment. For example, some of the ATT&CK-like activity that BZAR detects may be authorized and legitimate activity in your environment. Therefore, these detections would produce lots of unnecessary entries in the Notice Log. This can be tuned by the use of BZAR whitelists and by toggling on/off detection and/or reporting. See the CHANGES document for more information.
The BZAR analytics use the Bro/Zeek Summary Statistics (SumStats) Framework to combine two or more simple indicators in SMB and DCE-RPC traffic to detect ATT&CK-like activity with a greater degree of confidence. Three (3) BZAR analytics are described below.
Use SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or C$ only) is observed together with a DCE-RPC Execution indicator against the same (targeted) host, within a specified period of time.
- T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes), and
- T1570 Lateral Tool Transfer, and
- One of the following:
smb1_write_andx_response::c$smb_state$path
containsADMIN$
orC$
smb2_write_request::c$smb_state$path**
containsADMIN$
orC$
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:svcctl::CreateServiceW
svcctl::CreateServiceA
svcctl::StartServiceW
svcctl::StartServiceA
IWbemServices::ExecMethod
IWbemServices::ExecMethodAsync
atsvc::JobAdd
ITaskSchedulerService::SchRpcRegisterTask
ITaskSchedulerService::SchRpcRun
ITaskSchedulerService::SchRpcEnableTask
NOTE: Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.
Use SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral Movement indicators (e.g., multiple attempts to connect to a Windows Admin File Share: ADMIN$ or C$ only) are observed originating from the same host, regardless of write-attempts and regardless of whether or not any connection is successful --just connection attempts-- within a specified period of time.
- T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes)
smb1_tree_connect_andx_request::c$smb_state$path
containsADMIN$
orC$
smb2_tree_connect_request::c$smb_state$path
containsADMIN$
orC$
Use SumStats to raise a Bro/Zeek Notice event if multiple instances of DCE-RPC Discovery indicators are observed originating from the same host, within a specified period of time.
- T1016 System Network Configuration Discovery
- T1018 Remote System Discovery
- T1033 System Owner/User Discovery
- T1069 Permission Groups Discovery
- T1082 System Information Discovery
- T1083 File & Directory Discovery
- T1087 Account Discovery
- T1124 System Time Discovery
- T1135 Network Share Discovery
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:lsarpc::LsarEnumerateAccounts
lsarpc::LsarEnumerateAccountRights
lsarpc::LsarEnumerateAccountsWithUserRight
lsarpc::LsarEnumeratePrivileges
lsarpc::LsarEnumeratePrivilegesAccount
lsarpc::LsarEnumerateTrustedDomainsEx
lsarpc::LsarGetSystemAccessAccount
lsarpc::LsarGetUserName
lsarpc::LsarLookupNames
lsarpc::LsarLookupNames2
lsarpc::LsarLookupNames3
lsarpc::LsarLookupNames4
lsarpc::LsarLookupPrivilegeDisplayName
lsarpc::LsarLookupPrivilegeName
lsarpc::LsarLookupPrivilegeValue
lsarpc::LsarLookupSids
lsarpc::LsarLookupSids2
lsarpc::LsarLookupSids3
lsarpc::LsarQueryDomainInformationPolicy
lsarpc::LsarQueryInfoTrustedDomain
lsarpc::LsarQueryInformationPolicy
lsarpc::LsarQueryInformationPolicy2
lsarpc::LsarQueryTrustedDomainInfo
lsarpc::LsarQueryTrustedDomainInfoByName
samr::SamrLookupNamesInDomain
samr::SamrLookupIdsInDomain
samr::SamrLookupDomainInSamServer
samr::SamrGetGroupsForUser
samr::SamrGetAliasMembership
samr::SamrGetMembersInAlias
samr::SamrGetMembersInGroup
samr::SamrGetUserDomainPasswordInformation
samr::SamrEnumerateAliasesInDomain
samr::SamrEnumerateUsersInDomain
samr::SamrEnumerateGroupsInDomain
samr::SamrEnumerateDomainsInSamServer
samr::SamrQueryInformationAlias
samr::SamrQueryInformationDomain
samr::SamrQueryInformationDomain2
samr::SamrQueryInformationGroup
samr::SamrQueryInformationUser
samr::SamrQueryInformationUser2
samr::SamrQueryDisplayInformation
samr::SamrQueryDisplayInformation2
samr::SamrQueryDisplayInformation3
srvsvc::NetrConnectionEnum
srvsvc::NetrFileEnum
srvsvc::NetrRemoteTOD
srvsvc::NetrServerAliasEnum
srvsvc::NetrServerGetInfo
srvsvc::NetrServerTransportEnum
srvsvc::NetrSessionEnum
srvsvc::NetrShareEnum
srvsvc::NetrShareGetInfo
wkssvc::NetrWkstaGetInfo
wkssvc::NetrWkstaTransportEnum
wkssvc::NetrWkstaUserEnum
In addition to the analytics described above, BZAR uses simple indicators within SMB and DCE-RPC traffic to detect ATT&CK-like activity, although with a lesser degree of confidence than detection via the SumStats analytics. The BZAR indicators are grouped into six (6) categories, as described below.
Raise a Bro/Zeek Notice event if a single instance of an SMB Lateral Movement indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or C$ only) is observed, which indicates ATT&CK-like activity.
- T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes)
- T1570 Lateral Tool Transfer
smb1_write_andx_response::c$smb_state$path
containsADMIN$
orC$
smb2_write_request::c$smb_state$path**
containsADMIN$
orC$
NOTE: Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.
Launch the Bro/Zeek File Extraction Framework to save a copy of the file associated with ATT&CK-like Lateral Movement onto a remote system. Raise a Bro Notice event for the Lateral Movement Extracted File.
- T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes)
- T1570 Lateral Tool Transfer
smb1_write_andx_response::c$smb_state$path
containsADMIN$
orC$
smb2_write_request::c$smb_state$path**
containsADMIN$
orC$
NOTE: Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.
Raise a Bro/Zeek Notice event if a single instance of any of the following Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Credential Access techniques on the remote system.
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:drsuapi::DRSReplicaSync
drsuapi::DRSGetNCChanges
Raise a Bro/Zeek Notice event if a single instance of any of the following
Windows DCE-RPC functions (endpoint::operation) is observed, which
indicates ATT&CK-like Defense Evasion techniques on the remote system.
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:eventlog::ElfrClearELFW
eventlog::ElfrClearELFA
IEventService::EvtRpcClearLog
Raise a Bro/Zeek Notice event if a single instance of any of the following Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Execution techniques on the remote system.
- T1569.002 System Services: Service Execution
- T1047 Windows Management Instrumentation
- T1053.002 Scheduled Task/Job: At (Windows)
- T1053.005 Scheduled Task/Job: Scheduled Task
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:svcctl::CreateServiceW
svcctl::CreateServiceA
svcctl::StartServiceW
svcctl::StartServiceA
IWbemServices::ExecMethod
IWbemServices::ExecMethodAsync
atsvc::JobAdd
ITaskSchedulerService::SchRpcRegisterTask
ITaskSchedulerService::SchRpcRun
ITaskSchedulerService::SchRpcEnableTask
Raise a Bro/Zeek Notice event if a single instance of any of the following Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Persistence techniques on the remote system.
- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
- T1547.010 Boot or Logon Autostart Execution: Port Monitors
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:ISecLogon::SeclCreateProcessWithLogonW
ISecLogon::SeclCreateProcessWithLogonExW
IRemoteWinspool::RpcAsyncAddMonitor
IRemoteWinspool::RpcAsyncAddPrintProcessor
spoolss::RpcAddMonitor
# a.k.a. winspool | spoolssspoolss::RpcAddPrintProcessor
# a.k.a. winspool | spoolss
Raise a Bro/Zeek Notice event if a single instance of any of the following
Windows DCE-RPC functions (endpoint::operation) is observed, which
indicates ATT&CK-like Impact techniques on the remote system.
dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation
contains any of the following:InitShutdown::BaseInitiateShutdown
InitShutdown::BaseInitiateShutdownEx
WindowsShutdown::WsdrInitiateShutdown
winreg::BaseInitiateSystemShutdown
winreg::BaseInitiateSystemShutdownEx
winstation_rpc::RpcWinStationShutdownSystem
samr::SamrShutdownSamServer
# MSDN says not used on the wire
The BZAR project adds 144 more Microsoft DCE-RPC Interface UUIDs (a.k.a. "endpoints") to the Bro/Zeek DCE_RPC::uuid_endpoint_map.
The BZAR project also adds 1,145 Microsoft DCE-RPC Interface Methods (a.k.a. "operations") to the Bro/Zeek DCE_RPC::operations.
See the Bro/Zeek script 'bzar_dce-rpc_consts' for more information.
Most of the DCE-RPC endpoints and operations defined in 'bzar_dce-rpc_consts' were merged into Zeek's main product line, version 3.2.0-dev.565 | 2020-05-26 21:55:54 +0000. Ref: https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek#L92
- Microsoft Developer Network (MSDN) Library. MSDN Library > Open Specifications > Protocols > Windows Protocols > Technical Documents. https://msdn.microsoft.com/en-us/library/jj712081.aspx
- Marchand, "Windows Network Services Internals". 2006. http://index-of.es/Windows/win_net_srv.pdf
Contributions are welcome. This code is licensed under the same terms as the CAR repository. See the LICENSE file and the Developer Certificate of Origin certification in the CONTRIBUTING file in the root of the repository.
The information in this README file is current, as of 10/09/2020.
Copyright 2018 The MITRE Corporation. All Rights Reserved.
Approved for public release. Distribution unlimited. Case number 18-2489.