Hi Team -
As part of our work on the Customer Fulfillment Technology Security team at Amazon.com we've developed a set of protocol parsers for industrial control systems devices that we use in our production Zeek deployment. At this stage we're approved to release several of them as open source and would like to understand both if the Zeek team would be interested in taking these as contributions to upstream and, if you are, how best to coordinate the process of merging the contributions in. The five plugins we're approved to share now are:
* BACnet
* Ethernet/IP & Common Industrial Protocol (one plugin)
* Profinet
* S7comm
* MS-TDS Tabular Data Stream Protocol (not strictly ICS but used by some SCADA historians)
If the team is interested in this upstream we can submit as pull requests on GitHub, for example as one pull request per plugin, or via another workflow. If they're not a fit for upstream we can pursue an independent release. I'm really excited to make this available to the community either way! The two main authors, my colleague Tri and myself, will be at ZeekWeek here in Seattle next month to discuss these and a few others we have coming down the pipe.
Let us know what works,
Blake Johnson
Security Engineer
Control Systems Security
Amazon.com
Hi Gabriele,
Last year I did a deep-dive into the Zeek DCE-RPC protocol analyzer. I found the same un-used binpac file endpoint-atsvc.pac, and I had similar thoughts about developing analyzers for specific RPC data stubs. Unfortunately, so many RPC data stubs are encrypted by default now. Also, I realized I was able to make useful decisions from just knowing the RPC interface and method and then mapping that function to a threat model. Please see the github repository at the URL below. Also, I am giving a talk on it at ZeekWeek next month.
https://github.com/mitre-attack/bzar
Thanks,
Mark
From: zeek-dev-bounces(a)zeek.org <zeek-dev-bounces(a)zeek.org> On Behalf Of Gabriele Pippi
Sent: Thursday, September 19, 2019 12:10 PM
To: zeek-dev(a)zeek.org
Subject: [EXT] [Zeek-Dev] Zeek DCE-RPC Analyzer Update
Zeek-Dev Group,
hi i'm Gabriele from purple team of Certego. We are trying to rely on zeek to increase the detection of our platform in the moving through the internal network scenario ( credential access, discovery and specially lateral movement ATT&CK Matrix phases).
In the case of dcerpc for the moment we are correlating the information generated by bro_dce_rpc parser with data coming from endpoint agents.
In order to reduce the number of false positives and to gather more detailed information for a possible analysis, we thought it would be really interesting "to get extensive parsing in place for DCE-RPC messages by parsing the IDL files [...]" or to implement a "byte string containing the stub data itself" in case it is not encrypted. In our case we would like to give priority to all those operations that allow to directly carry out an entire attack or a code execution, restricting the scope to those with stub data in cleartext (for example in the case of dcerpc over smb named_pipe or in the case of dcom, at least for the operations observed until now ). I found the following BINPAC zeek/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac, and I ended up to this discussion https://bro-dev.bro-ids.narkive.com/jq0Ofe6L/bro-dce-rpc-analyzer-questions .
Have there been any updates regarding this topic? Do you have any advice on how to proceed?
Once we have assessed the feasibility, we could be willing to contribute to achieve this goal. In this work we would also like to insert a series of endpoints and operations that currently are not mapped by zeek, among those observed for example there are several in DCOM. Once the tests are completed, if you are interested, we could also provide you with an exhaustive list or integrate it directly with a possible merge.
At the moment we do not know of the existence of technologies that allow to do alerting on some types of Windows APIs, we therefore believe that being able to do it at the network level through DCERPC is an important added value to zeek.
Thanks,
Gabriele.
Zeek-Dev Group,
hi i'm Gabriele from purple team of Certego. We are trying to rely on zeek
to increase the detection of our platform in the *moving** through the
internal network sc*enario ( *credential access*, *discovery* and
specially *lateral
movement* ATT&CK Matrix phases).
In the case of dcerpc for the moment we are correlating the information
generated by *bro_dce_rpc *parser with data coming from endpoint agents.
In order to reduce the number of false positives and to gather more
detailed information for a possible analysis, we thought it would be really
interesting "to get extensive parsing in place for DCE-RPC messages by
parsing the IDL files [...]" or to implement a "byte string containing the
stub data itself" in case it is not encrypted. In our case we would like to
give priority to all those operations that allow to directly carry out an
entire attack or a code execution, restricting the scope to those with stub
data in cleartext (for example in the case of dcerpc over smb named_pipe or
in the case of dcom, at least for the operations observed until now ). I
found the following BINPAC
*zeek/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac*, and I ended up to
this discussion
https://bro-dev.bro-ids.narkive.com/jq0Ofe6L/bro-dce-rpc-analyzer-questions
.
*Have there been any updates regarding this topic? Do you have any advice
on how to proceed?*
Once we have assessed the feasibility, we could be willing to contribute to
achieve this goal. In this work we would also like to insert a series of
endpoints and operations that currently are not mapped by zeek, among those
observed for example there are several in DCOM. Once the tests are
completed, if you are interested, we could also provide you with an
exhaustive list or integrate it directly with a possible merge.
At the moment we do not know of the existence of technologies that allow to
do alerting on some types of *Windows APIs*, we therefore believe that
being able to do it at the network level through DCERPC is an important
added value to zeek.
Thanks,
Gabriele.
