1118 lines
24 KiB
Plaintext
1118 lines
24 KiB
Plaintext
#
|
|
# File: bzar_dce-rpc_report.zeek
|
|
# Created: 20180701
|
|
# Updated: 20201009
|
|
#
|
|
# Copyright 2018 The MITRE Corporation. All Rights Reserved.
|
|
# Approved for public release. Distribution unlimited. Case number 18-3868.
|
|
#
|
|
|
|
module BZAR;
|
|
|
|
#
|
|
# Helper Functions
|
|
#
|
|
|
|
function rpc_t1003_006_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1003.006 OS Credential Dumping: DCSync
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1003_006_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1003_006_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1003_006_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1003_006_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1003_006_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1003_006_whitelist_orig_names;
|
|
w1$resp_names = t1003_006_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Credential_Access,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1003.006"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1070_001_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1070.001 Indicator Removal on Host: Clear Windows Event Logs
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1070_001_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1070_001_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1070_001_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1070_001_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1070_001_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1070_001_whitelist_orig_names;
|
|
w1$resp_names = t1070_001_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Defense_Evasion,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1070.001"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1569_002_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1569.002 System Services: Service Execution
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1569_002_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1569_002_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1569_002_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1569_002_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1569_002_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1569_002_whitelist_orig_names;
|
|
w1$resp_names = t1569_002_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Execution,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1569.002"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_lm_ex_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_lm_ex_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_lm_ex_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_lm_ex_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_lm_ex_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_lm_ex_whitelist_orig_names;
|
|
w2$resp_names = attack_lm_ex_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
# Score == 1000 for RPC_EXEC
|
|
|
|
SumStats::observe("attack_lm_ex",
|
|
SumStats::Key($host=c$id$resp_h),
|
|
SumStats::Observation($num=1000)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1047_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1047 Windows Management Instrumentation (WMI)
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1047_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1047_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1047_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1047_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1047_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1047_whitelist_orig_names;
|
|
w1$resp_names = t1047_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Execution,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1047"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_lm_ex_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_lm_ex_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_lm_ex_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_lm_ex_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_lm_ex_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_lm_ex_whitelist_orig_names;
|
|
w2$resp_names = attack_lm_ex_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
# Score == 1000 for RPC_EXEC
|
|
|
|
SumStats::observe("attack_lm_ex",
|
|
SumStats::Key($host=c$id$resp_h),
|
|
SumStats::Observation($num=1000)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1053_002_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1053.002 Scheduled Task/Job: At
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1053_002_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1053_002_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1053_002_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1053_002_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1053_002_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1053_002_whitelist_orig_names;
|
|
w1$resp_names = t1053_002_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Execution,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1053.002"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_lm_ex_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_lm_ex_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_lm_ex_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_lm_ex_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_lm_ex_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_lm_ex_whitelist_orig_names;
|
|
w2$resp_names = attack_lm_ex_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
# Score == 1000 for RPC_EXEC
|
|
|
|
SumStats::observe("attack_lm_ex",
|
|
SumStats::Key($host=c$id$resp_h),
|
|
SumStats::Observation($num=1000)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1053_005_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1053.005 Scheduled Task/Job: Scheduled Task
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1053_005_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1053_005_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1053_005_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1053_005_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1053_005_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1053_005_whitelist_orig_names;
|
|
w1$resp_names = t1053_005_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Execution,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1053.005"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_lm_ex_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_lm_ex_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_lm_ex_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_lm_ex_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_lm_ex_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_lm_ex_whitelist_orig_names;
|
|
w2$resp_names = attack_lm_ex_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
# Score == 1000 for RPC_EXEC
|
|
|
|
SumStats::observe("attack_lm_ex",
|
|
SumStats::Key($host=c$id$resp_h),
|
|
SumStats::Observation($num=1000)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1529_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1529 System Shutdown/Reboot
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1529_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1529_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1529_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1529_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1529_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1529_whitelist_orig_names;
|
|
w1$resp_names = t1529_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Defense_Evasion,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1529"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1547_004_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1547_004_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1547_004_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1547_004_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1547_004_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1547_004_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1547_004_whitelist_orig_names;
|
|
w1$resp_names = t1547_004_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Persistence,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1547.004"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1547_010_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1547.010 Boot or Logon Autostart Execution: Port Monitors
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1547_010_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1547_010_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1547_010_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1547_010_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1547_010_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1547_010_whitelist_orig_names;
|
|
w1$resp_names = t1547_010_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Persistence,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1547.010"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1016_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1016 System Network Configuration Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1016_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1016_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1016_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1016_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1016_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1016_whitelist_orig_names;
|
|
w1$resp_names = t1016_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1016"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1018_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
#
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1018_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1018_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1018_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1018_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1018_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1018_whitelist_orig_names;
|
|
w1$resp_names = t1018_whitelist_resp_names;
|
|
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
# Raise Notice
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1018"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1033_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1033 System Owner/User Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1033_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1033_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1033_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1033_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1033_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1033_whitelist_orig_names;
|
|
w1$resp_names = t1033_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1033"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1049_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1049 System Network Connections Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1049_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1049_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1049_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1049_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1049_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1049_whitelist_orig_names;
|
|
w1$resp_names = t1049_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1049"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1069_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1069 Permission Groups Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1069_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1069_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1069_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1069_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1069_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1069_whitelist_orig_names;
|
|
w1$resp_names = t1069_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1069"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1082_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1082 System Information Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1082_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1082_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1082_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1082_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1082_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1082_whitelist_orig_names;
|
|
w1$resp_names = t1082_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1082"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1083_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1083 File & Directory Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1083_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1083_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1083_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1083_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1083_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1083_whitelist_orig_names;
|
|
w1$resp_names = t1083_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1083"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1087_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1087 Account Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1087_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1087_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1087_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1087_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1087_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1087_whitelist_orig_names;
|
|
w1$resp_names = t1087_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1087"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1124_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1124 System Time Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1124_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1124_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1124_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1124_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1124_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1124_whitelist_orig_names;
|
|
w1$resp_names = t1124_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1124"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
|
|
function rpc_t1135_log ( c : connection, rpc : string ) : bool
|
|
{
|
|
# T1135 Network Share Discovery
|
|
|
|
#
|
|
# Raise Notice
|
|
#
|
|
|
|
if ( t1135_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = t1135_whitelist_orig_addrs;
|
|
w1$resp_addrs = t1135_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = t1135_whitelist_orig_subnets;
|
|
w1$resp_subnets = t1135_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = t1135_whitelist_orig_names;
|
|
w1$resp_names = t1135_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1) )
|
|
{
|
|
NOTICE([$note=ATTACK::Discovery,
|
|
$msg=rpc,
|
|
$sub=BZAR::attack_info["t1135"],
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
|
|
#
|
|
# Set Observation
|
|
#
|
|
|
|
if ( attack_discovery_report_option )
|
|
{
|
|
# Get whitelist from config options
|
|
local w2 : BZAR::EndpointWhitelist;
|
|
|
|
w2$orig_addrs = attack_discovery_whitelist_orig_addrs;
|
|
w2$resp_addrs = attack_discovery_whitelist_resp_addrs;
|
|
|
|
w2$orig_subnets = attack_discovery_whitelist_orig_subnets;
|
|
w2$resp_subnets = attack_discovery_whitelist_resp_subnets;
|
|
|
|
w2$orig_names = attack_discovery_whitelist_orig_names;
|
|
w2$resp_names = attack_discovery_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
if ( !BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w2) )
|
|
{
|
|
SumStats::observe("attack_discovery",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1)
|
|
);
|
|
}
|
|
}
|
|
|
|
return T;
|
|
}
|
|
|
|
#end bzar_dce-rpc_report.zeek |