<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi Gabriele,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you for the compliment on BZAR. I think it would be great if you were to create a parser for those data stubs. That would add a lot of value.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>>> ...nor for the classic code execution dcerpc traffic passed through<o:p></o:p></p><p class=MsoNormal>>> named pipes (atsvc, svcctl, winreg , [...]) (<i>authlevel connect</i>), which<o:p></o:p></p><p class=MsoNormal>>> are the easiest techniques to exploit with basic AD configuration.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am surprised those RPC interfaces are not encrypted. For example, the current MSDN documentation states the RPC authentication should be Level 6 (<i>authlevel packet privacy</i>) for atsvc, svcctl, and winreg, which would mean the data stubs would be encrypted. I didn’t investigate further to verify if that is true or not, or to find cases when it is not encrypted.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Mark<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> Gabriele Pippi <g.pippi@certego.net> <br><b>Sent:</b> Monday, September 23, 2019 6:19 AM<br><b>To:</b> Fernandez, Mark I <mfernandez@mitre.org><br><b>Cc:</b> zeek-dev@zeek.org<br><b>Subject:</b> Re: [EXT] [Zeek-Dev] Zeek DCE-RPC Analyzer Update<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hi Mark,<br><br>I have already analyzed your project and I thank you for the excellent work.<br><br>The reasons why we are looking for something more are these:<br> <br>1. Currently analyzing the new techniques with DCOM we have noticed that neither the endpoints nor the operations have been included in the project.<br>2. We have also noticed in the observed cases that the data stub is encrypted using ntlmssp authlevel packet privacy, this happened in the cases where dcerpc passed over pure through a specific rule on the local windows firewall. However this does not happen neither for the observed cases of DCOM (<i>authlevel packet integrity</i>), nor for the classic code execution dcerpc traffic passed through named pipes (atsvc, svcctl, winreg , [...]) (<i>authlevel connect</i>), which are the easiest techniques to exploit with basic AD configuration. This type of traffic is legitimate and widely used in our networks, the content of the stub data in cleartext would help us both to filter the normal uses from the malicious ones and to greatly increase the quality of our analyzes.<br><br>Thanks,<br><br>Gabriele.<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Il giorno ven 20 set 2019 alle ore 13:19 Fernandez, Mark I <<a href="mailto:mfernandez@mitre.org">mfernandez@mitre.org</a>> ha scritto:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi Gabriele,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Last year I did a deep-dive into the Zeek DCE-RPC protocol analyzer. I found the same un-used binpac file <i>endpoint-atsvc.pac,</i> and I had similar thoughts about developing analyzers for specific RPC data stubs. Unfortunately, so many RPC data stubs are encrypted by default now. Also, I realized I was able to make useful decisions from just knowing the RPC interface and method and then mapping that function to a threat model. Please see the github repository at the URL below. Also, I am giving a talk on it at ZeekWeek next month.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="https://github.com/mitre-attack/bzar" target="_blank">https://github.com/mitre-attack/bzar</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Mark<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> <a href="mailto:zeek-dev-bounces@zeek.org" target="_blank">zeek-dev-bounces@zeek.org</a> <<a href="mailto:zeek-dev-bounces@zeek.org" target="_blank">zeek-dev-bounces@zeek.org</a>> <b>On Behalf Of </b>Gabriele Pippi<br><b>Sent:</b> Thursday, September 19, 2019 12:10 PM<br><b>To:</b> <a href="mailto:zeek-dev@zeek.org" target="_blank">zeek-dev@zeek.org</a><br><b>Subject:</b> [EXT] [Zeek-Dev] Zeek DCE-RPC Analyzer Update<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Zeek-Dev Group,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>hi i'm Gabriele from purple team of Certego. We are trying to rely on zeek to increase the detection of our platform in the <i>moving through the internal network sc</i>enario ( <i>credential access</i>, <i>discovery</i> and specially <i>lateral movement</i> ATT&CK Matrix phases).<br><br>In the case of dcerpc for the moment we are correlating the information generated by <i>bro_dce_rpc </i>parser with data coming from endpoint agents.<br><br>In order to reduce the number of false positives and to gather more detailed information for a possible analysis, we thought it would be really interesting "to get extensive parsing in place for DCE-RPC messages by parsing the IDL files [...]" or to implement a "byte string containing the stub data itself" in case it is not encrypted. In our case we would like to give priority to all those operations that allow to directly carry out an entire attack or a code execution, restricting the scope to those with stub data in cleartext (for example in the case of dcerpc over smb named_pipe or in the case of dcom, at least for the operations observed until now ). I found the following BINPAC <i>zeek/src/analyzer/protocol/dce-rpc/endpoint-atsvc.pac</i>, and I ended up to this discussion <a href="https://bro-dev.bro-ids.narkive.com/jq0Ofe6L/bro-dce-rpc-analyzer-questions" target="_blank">https://bro-dev.bro-ids.narkive.com/jq0Ofe6L/bro-dce-rpc-analyzer-questions</a> . <br><br><b>Have there been any updates regarding this topic? Do you have any advice on how to proceed?</b><br><br>Once we have assessed the feasibility, we could be willing to contribute to achieve this goal. In this work we would also like to insert a series of endpoints and operations that currently are not mapped by zeek, among those observed for example there are several in DCOM. Once the tests are completed, if you are interested, we could also provide you with an exhaustive list or integrate it directly with a possible merge.<br><br>At the moment we do not know of the existence of technologies that allow to do alerting on some types of <i>Windows APIs</i>, we therefore believe that being able to do it at the network level through DCERPC is an important added value to zeek.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Gabriele.<o:p></o:p></p></div></div></div></div></blockquote></div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><div><div><div><div><p class=MsoNormal><a href="http://www.certego.net/" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=96 height=96 style='width:1.0in;height:1.0in' id="Picture_x0020_1" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></a><o:p></o:p></p><div><p class=MsoNormal><b><span style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#00ACED;letter-spacing:.75pt'>Gabriele Pippi<o:p></o:p></span></b></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:#202020'>Incident Response Team, Certego<o:p></o:p></span></b></p></div><p class=MsoNormal><a href="tel:+39-059-7353333" target="_blank"><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#545454;text-decoration:none'><br></span></a><o:p></o:p></p></div><div><p class=MsoNormal><a href="tel:+39-059-7353333" target="_blank"><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#545454;text-decoration:none'>+39 0543 1908084</span></a><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#00ACED'> | </span><a href="tel:+39-3333333333" target="_blank"><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#545454;text-decoration:none'>+39-3386735301</span></a> <o:p></o:p></p><div><p class=MsoNormal><a href="http://www.linkedin.com/company/certego" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=24 height=24 style='width:.25in;height:.25in' id="Picture_x0020_2" src="cid:image002.jpg@01D571F2.4012DCE0" alt="Image removed by sender."></span></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=24 height=24 style='width:.25in;height:.25in' id="Picture_x0020_3" src="cid:image002.jpg@01D571F2.4012DCE0" alt="Image removed by sender."></span></a> <a href="http://github.com/certego" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=24 height=24 style='width:.25in;height:.25in' id="Picture_x0020_4" src="cid:image002.jpg@01D571F2.4012DCE0" alt="Image removed by sender."></span></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=24 height=24 style='width:.25in;height:.25in' id="Picture_x0020_5" src="cid:image002.jpg@01D571F2.4012DCE0" alt="Image removed by sender."></span></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=24 height=24 style='width:.25in;height:.25in' id="Picture_x0020_6" src="cid:image002.jpg@01D571F2.4012DCE0" alt="Image removed by sender."></span></a><o:p></o:p></p></div><p class=MsoNormal style='text-align:justify;vertical-align:top'><span style='font-size:6.0pt;font-family:"Arial",sans-serif;color:#E0E0E0'>Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information. <o:p></o:p></span></p></div></div></div></div></div></div></div></body></html>