<div dir="ltr"><div>Zeek-Dev Group,</div><div><br></div><div>hi i'm Gabriele from purple team of Certego. We are trying to rely on zeek to increase the detection of our platform in the <i>moving</i><i> through the internal network sc</i>enario ( <i>credential access</i>, <i>discovery</i> and specially <i>lateral movement</i> ATT&CK Matrix phases).<br><br>In the case of dcerpc for the moment we are correlating the information generated by <i>bro_dce_rpc </i>parser with data coming from endpoint agents.<br><br>In
order to reduce the number of false positives and to gather more
detailed information for a possible analysis, we thought it would be
really interesting "to get extensive parsing in place for DCE-RPC
messages by parsing the IDL files [...]" or to implement a "byte string
containing the stub data itself" in case it is not encrypted. In our
case we would like to give priority to all those operations that allow
to directly carry out an entire attack or a code execution, restricting
the scope to those with stub data in cleartext (for example in the case
of dcerpc over smb named_pipe or in the case of dcom, at least for the
operations observed until now ). I found the following BINPAC <i>zeek/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac</i>, and I ended up to this discussion <a href="https://bro-dev.bro-ids.narkive.com/jq0Ofe6L/bro-dce-rpc-analyzer-questions" target="_blank">https://bro-dev.bro-ids.narkive.com/jq0Ofe6L/bro-dce-rpc-analyzer-questions</a> . <br><br><b>Have there been any updates regarding this topic? Do you have any advice on how to proceed?</b><br><br>Once
we have assessed the feasibility, we could be willing to contribute to
achieve this goal. In this work we would also like to insert a series of
endpoints and operations that currently are not mapped by zeek, among
those observed for example there are several in DCOM. Once the tests are
completed, if you are interested, we could also provide you with an
exhaustive list or integrate it directly with a possible merge.<br><br>At the moment we do not know of the existence of technologies that allow to do alerting on some types of <i>Windows APIs</i>, we therefore believe that being able to do it at the network level through DCERPC is an important added value to zeek.<br><br></div><div>Thanks,<br></div><div><br></div><div>Gabriele.</div></div>