The BZAR project uses the Bro/Zeek Network Security Monitor to detect ATT&CK-based adversarial activity.

MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups.

BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, raise notices, and write to the Notice Log.

BZAR is a component of the Cyber Analytics Repository. It was originally located within that library, but due to requirements for Zeek packages it was moved to its own repository. It's still managed as a component of CAR.

BZAR must be tuned for your specific operational envrionment. For example, some of the ATT&CK-like activity that BZAR detects may be authorized and legitimate activity in your environment. Therefore, these detections would produce lots of unnecessary entries in the Notice Log. This can be tuned by the use of BZAR whitelists and by toggling on/off detection and/or reporting. See the CHANGES document for more information.

The BZAR analytics use the Bro/Zeek Summary Statistics (SumStats) Framework to combine two or more simple indicators in SMB and DCE-RPC traffic to detect ATT&CK-like activity with a greater degree of confidence. Three (3) BZAR analytics are described below.

Use SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or C$ only) is observed together with a DCE-RPC Execution indicator against the same (targeted) host, within a specified period of time.

• T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes), and
• T1570 Lateral Tool Transfer, and
• One of the following:
  • T1569.002 System Services: Service Execution
  • T1047 Windows Management Instrumentation
  • T1053.002 Scheduled Task/Job: At (Windows)
  • T1053.005 Scheduled Task/Job: Scheduled Task

• smb1_write_andx_response::c$smb_state$path contains ADMIN$ or C$
• smb2_write_request::c$smb_state$path** contains ADMIN$ or C$
• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • svcctl::CreateServiceW
  • svcctl::CreateServiceA
  • svcctl::StartServiceW
  • svcctl::StartServiceA
  • IWbemServices::ExecMethod
  • IWbemServices::ExecMethodAsync
  • atsvc::JobAdd
  • ITaskSchedulerService::SchRpcRegisterTask
  • ITaskSchedulerService::SchRpcRun
  • ITaskSchedulerService::SchRpcEnableTask

NOTE: Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.

Use SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral Movement indicators (e.g., multiple attempts to connect to a Windows Admin File Share: ADMIN$ or C$ only) are observed originating from the same host, regardless of write-attempts and regardless of whether or not any connection is successful --just connection attempts-- within a specified period of time.

• T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes)

• smb1_tree_connect_andx_request::c$smb_state$path contains ADMIN$ or C$
• smb2_tree_connect_request::c$smb_state$path contains ADMIN$ or C$

Use SumStats to raise a Bro/Zeek Notice event if multiple instances of DCE-RPC Discovery indicators are observed originating from the same host, within a specified period of time.

• T1016 System Network Configuration Discovery
• T1018 Remote System Discovery
• T1033 System Owner/User Discovery
• T1069 Permission Groups Discovery
• T1082 System Information Discovery
• T1083 File & Directory Discovery
• T1087 Account Discovery
• T1124 System Time Discovery
• T1135 Network Share Discovery

• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • lsarpc::LsarEnumerateAccounts
  • lsarpc::LsarEnumerateAccountRights
  • lsarpc::LsarEnumerateAccountsWithUserRight
  • lsarpc::LsarEnumeratePrivileges
  • lsarpc::LsarEnumeratePrivilegesAccount
  • lsarpc::LsarEnumerateTrustedDomainsEx
  • lsarpc::LsarGetSystemAccessAccount
  • lsarpc::LsarGetUserName
  • lsarpc::LsarLookupNames
  • lsarpc::LsarLookupNames2
  • lsarpc::LsarLookupNames3
  • lsarpc::LsarLookupNames4
  • lsarpc::LsarLookupPrivilegeDisplayName
  • lsarpc::LsarLookupPrivilegeName
  • lsarpc::LsarLookupPrivilegeValue
  • lsarpc::LsarLookupSids
  • lsarpc::LsarLookupSids2
  • lsarpc::LsarLookupSids3
  • lsarpc::LsarQueryDomainInformationPolicy
  • lsarpc::LsarQueryInfoTrustedDomain
  • lsarpc::LsarQueryInformationPolicy
  • lsarpc::LsarQueryInformationPolicy2
  • lsarpc::LsarQueryTrustedDomainInfo
  • lsarpc::LsarQueryTrustedDomainInfoByName
  • samr::SamrLookupNamesInDomain
  • samr::SamrLookupIdsInDomain
  • samr::SamrLookupDomainInSamServer
  • samr::SamrGetGroupsForUser
  • samr::SamrGetAliasMembership
  • samr::SamrGetMembersInAlias
  • samr::SamrGetMembersInGroup
  • samr::SamrGetUserDomainPasswordInformation
  • samr::SamrEnumerateAliasesInDomain
  • samr::SamrEnumerateUsersInDomain
  • samr::SamrEnumerateGroupsInDomain
  • samr::SamrEnumerateDomainsInSamServer
  • samr::SamrQueryInformationAlias
  • samr::SamrQueryInformationDomain
  • samr::SamrQueryInformationDomain2
  • samr::SamrQueryInformationGroup
  • samr::SamrQueryInformationUser
  • samr::SamrQueryInformationUser2
  • samr::SamrQueryDisplayInformation
  • samr::SamrQueryDisplayInformation2
  • samr::SamrQueryDisplayInformation3
  • srvsvc::NetrConnectionEnum
  • srvsvc::NetrFileEnum
  • srvsvc::NetrRemoteTOD
  • srvsvc::NetrServerAliasEnum
  • srvsvc::NetrServerGetInfo
  • srvsvc::NetrServerTransportEnum
  • srvsvc::NetrSessionEnum
  • srvsvc::NetrShareEnum
  • srvsvc::NetrShareGetInfo
  • wkssvc::NetrWkstaGetInfo
  • wkssvc::NetrWkstaTransportEnum
  • wkssvc::NetrWkstaUserEnum

In addition to the analytics described above, BZAR uses simple indicators within SMB and DCE-RPC traffic to detect ATT&CK-like activity, although with a lesser degree of confidence than detection via the SumStats analytics. The BZAR indicators are grouped into six (6) categories, as described below.

Raise a Bro/Zeek Notice event if a single instance of an SMB Lateral Movement indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or C$ only) is observed, which indicates ATT&CK-like activity.

• T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes)
• T1570 Lateral Tool Transfer

• smb1_write_andx_response::c$smb_state$path contains ADMIN$ or C$
• smb2_write_request::c$smb_state$path** contains ADMIN$ or C$

NOTE: Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.

Launch the Bro/Zeek File Extraction Framework to save a copy of the file associated with ATT&CK-like Lateral Movement onto a remote system. Raise a Bro Notice event for the Lateral Movement Extracted File.

• T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes)
• T1570 Lateral Tool Transfer

• smb1_write_andx_response::c$smb_state$path contains ADMIN$ or C$
• smb2_write_request::c$smb_state$path** contains ADMIN$ or C$

NOTE: Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.

Raise a Bro/Zeek Notice event if a single instance of any of the following Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Credential Access techniques on the remote system.

• T1003.006 OS Credential Dumping: DCSync

• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • drsuapi::DRSReplicaSync
  • drsuapi::DRSGetNCChanges

Raise a Bro/Zeek Notice event if a single instance of any of the following
Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Defense Evasion techniques on the remote system.

• T1070.001 Indicator Removal on Host: Clear Windows Event Logs

• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • eventlog::ElfrClearELFW
  • eventlog::ElfrClearELFA
  • IEventService::EvtRpcClearLog

Raise a Bro/Zeek Notice event if a single instance of any of the following Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Execution techniques on the remote system.

• T1569.002 System Services: Service Execution
• T1047 Windows Management Instrumentation
• T1053.002 Scheduled Task/Job: At (Windows)
• T1053.005 Scheduled Task/Job: Scheduled Task

• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • svcctl::CreateServiceW
  • svcctl::CreateServiceA
  • svcctl::StartServiceW
  • svcctl::StartServiceA
  • IWbemServices::ExecMethod
  • IWbemServices::ExecMethodAsync
  • atsvc::JobAdd
  • ITaskSchedulerService::SchRpcRegisterTask
  • ITaskSchedulerService::SchRpcRun
  • ITaskSchedulerService::SchRpcEnableTask

Raise a Bro/Zeek Notice event if a single instance of any of the following Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Persistence techniques on the remote system.

• T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
• T1547.010 Boot or Logon Autostart Execution: Port Monitors

• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • ISecLogon::SeclCreateProcessWithLogonW
  • ISecLogon::SeclCreateProcessWithLogonExW
  • IRemoteWinspool::RpcAsyncAddMonitor
  • IRemoteWinspool::RpcAsyncAddPrintProcessor
  • spoolss::RpcAddMonitor # a.k.a. winspool | spoolss
  • spoolss::RpcAddPrintProcessor # a.k.a. winspool | spoolss

Raise a Bro/Zeek Notice event if a single instance of any of the following
Windows DCE-RPC functions (endpoint::operation) is observed, which indicates ATT&CK-like Impact techniques on the remote system.

• T1529 System Shutdown/Reboot

• dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation contains any of the following:
  • InitShutdown::BaseInitiateShutdown
  • InitShutdown::BaseInitiateShutdownEx
  • WindowsShutdown::WsdrInitiateShutdown
  • winreg::BaseInitiateSystemShutdown
  • winreg::BaseInitiateSystemShutdownEx
  • winstation_rpc::RpcWinStationShutdownSystem
  • samr::SamrShutdownSamServer # MSDN says not used on the wire

The BZAR project adds 144 more Microsoft DCE-RPC Interface UUIDs (a.k.a. "endpoints") to the Bro/Zeek DCE_RPC::uuid_endpoint_map.

The BZAR project also adds 1,145 Microsoft DCE-RPC Interface Methods (a.k.a. "operations") to the Bro/Zeek DCE_RPC::operations.

See the Bro/Zeek script 'bzar_dce-rpc_consts' for more information.

Most of the DCE-RPC endpoints and operations defined in 'bzar_dce-rpc_consts' were merged into Zeek's main product line, version 3.2.0-dev.565 | 2020-05-26 21:55:54 +0000. Ref: https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek#L92

1. Microsoft Developer Network (MSDN) Library. MSDN Library > Open Specifications > Protocols > Windows Protocols > Technical Documents. https://msdn.microsoft.com/en-us/library/jj712081.aspx
2. Marchand, "Windows Network Services Internals". 2006. http://index-of.es/Windows/win_net_srv.pdf

Contributions are welcome. This code is licensed under the same terms as the CAR repository. See the LICENSE file and the Developer Certificate of Origin certification in the CONTRIBUTING file in the root of the repository.

The information in this README file is current, as of 10/09/2020.

Copyright 2018 The MITRE Corporation. All Rights Reserved.
Approved for public release. Distribution unlimited. Case number 18-2489.