-
Notifications
You must be signed in to change notification settings - Fork 75
/
CHANGES
162 lines (115 loc) · 9.68 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#
# BZAR Changes
#
# Copyright 2018 The MITRE Corporation. All Rights Reserved.
# Approved for public release. Distribution unlimited. Case number 18-3868.
#
# 20201009
1. Summary of Changes, MITRE ATT&CK(R) Framework, Now w/Sub-Techniques
The July 2020 (v7) release of MITRE's Enterprise ATT&CK framework officially introduced sub-techniques. For more information on sub-techniques, see the ATT&CK website at https://attack.mitre.org/resources/updates.
This change in the ATT&CK framework affected several techniques that BZAR detected and reported. Eight (8) techniques under the old framework now become ten (10) techniques/sub-techniques under the new framework, as mapped out below.
1.1. Old: "T1003 Credential Dumping" | New: "T1003.006 OS Credential Dumping: DCSync"
1.2. Old: "T1004 Winlogon Helper DLL" | New: "T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL"
1.3. Old: "T1013 Port Monitors" | New: "T1547.010 Boot or Logon Autostart Execution: Port Monitors"
1.4. Old: "T1035 Service Execution" | New: "T1569.002 System Services: Service Execution"
1.5. Old: "T1053 Scheduled Task" | Split Apart...
1.5.1. New: "T1053.002 Scheduled Task Job: At (Windows)"
1.5.2. New: "T1053.005 Scheduled Task Job: Scheduled Task"
1.6. Old: "T1070 Indicator Removal on Host" | Split Apart...
1.6.1. New: "T1070.001 Indicator Removal on Host: Clear Windows Event Logs"
1.6.2. New: "T1529 System Shutdown/Reboot"
1.7. Old: "T1077 Windows Admin Shares" | New: "T1021.002 Remote Services: SMB/Windows Admin Shares"
1.8. Old: "T1105 Remote File Copy" | New: "T1570 Lateral Tool Transfer"
2. Summary of Changes, BZAR Code
The most obvious change BZAR users will observe are the strings written to the Zeek Notice Log. The strings are defined in main.zeek, within string table 'const attack_info'.
The BZAR naming convention uses the ATT&CK technique ID (e.g. T0177) for many of the configuration options, function names, and other consts. For consistency, these items were all renamed, using new technique IDs.
Lastly, BZAR has a new Notice Type called, ATTACK::Impact. The original BZAR code was already detecting RPC functions related to remote system shutdown, but it was reported as Defense Evasion under technique "T1070 Indicator Removal on Host." The rationale being a shutdown would eliminate indicators within volatile memory. The ATT&CK framework now has a separate technique of "T1529 System Shutdown/Reboot" associated with the tactic of "Impact," so the RPC functions related to remote system shutdown are now reported under T1529 with the Notice Type of ATTACK::Impact.
# 20200929
1. Rename .bro scripts to .zeek
# 20191121
1. Summary of Changes, New Functional Capabilities
Two new features are introduced, and one existing feature is improved. On new feature is to be able to toggle on/off whether or not an ATT&CK Technique is reported in the Notice Log. Another new feature is to be able to toggle on/off whether or not an ATTACK Technique is detected (NOTE: disabling detection will thereby preclude that item from being reported).
Also, the whitelisting feature is improved. In the original release, BZAR had a global whitelist, by IP address only. The global whitelist was not the best design because it could create unnecessary blind-spots for the security analyst. For example, if one endpoint is authorized to perform remote file copy to a Windows Admin Share as part of routine business operations, then it would be appropriate to add that endpoint to the whitelist. However, that same endpoint may not be authorized to perform remote execution via the Task Scheduler service. Therefore, a single global whitelist would effectively ignore the actions of that endpoint regardless of the type of activity. This change makes the whitelist more granular, so that a unique whitelist could be specified for each ATT&CK Technique. In addition to the granularity, whitelists can be specified by IP addresses, subnets, and host names.
These new and improved configuration options will allow the user to better tune BZAR for their specific operational environment.
1.1. BZAR Actions - ATT&CK Indicators to Detect and Report
#
# Description:
# These config options should be tuned for your specific environment.
# Use the Zeek Configuration Framework to change the default values
# during runtime.
#
# xxxx_detect_option:
# Option to control whether or not to detect this ATT&CK indicator.
# If set to False, then it effectively disables _report_option, too.
#
# xxxx_report_option:
# Option to control whether or not to write to the Notice Log.
# If _detect_option is False, then this option has no effect.
1.2. BZAR Whitelists - Ignore ATT&CK Indicators Involving these Endpoints
#
# Description:
# These config options should be tuned for your specific environment.
# Use the Zeek Configuration Framework to change the default values
# during runtime.
#
# Whitelists can be specified by IP address, IP subnet, or host
# name for each ATT&CK indicator. Furthermore, the whitelists can
# be specified by originating address, subnet, or hostname; and by
# responding address, subnet, or hostname.
#
# xxxx_whitelist_orig_addrs : set[addr]
# Add originating IP addresses to ignore for an ATT&CK indicator.
# The value of 'c$id$orig_h' is checked against this list before
# writing to Notice Log and/or SumStats Observation.
#
# xxxx_whitelist_resp_addrs : set[addr]
# Add responding IP addresses to ignore for an ATT&CK indicator.
# The value of 'c$id$resp_h' is checked against this list before
# writing to Notice Log and/or SumStats Observation.
#
# xxxx_whitelist_orig_subnets : set[subnet]
# Add originating IP subnets to ignore for an ATT&CK indicator.
# The value of 'c$id$orig_h' is checked against this list before
# writing to Notice Log and/or SumStats Observation.
#
# xxxx_whitelist_resp_subnets : set[subnet]
# Add responding IP subnets to ignore for an ATT&CK indicator.
# The value of 'c$id$resp_h' is checked against this list before
# writing to Notice Log and/or SumStats Observation.
#
# xxxx_whitelist_orig_names : set[string]
# Add originating IP addresses to ignore for an ATT&CK indicator.
# CAUTION: A DNS reverse-lookup of the value of 'c$id$orig_h' is
# performed and the result is checked against this list before
# writing to Notice Log and/or SumStats Observation. The DNS
# reverse-lookup could adversely affect system performance.
#
# xxxx_whitelist_resp_names : set[string]
# Add responding IP addresses to ignore for an ATT&CK indicator.
# CAUTION: A DNS reverse-lookup of the value of 'c$id$resp_h' is
# performed and the result is checked against this list before
# writing to Notice Log and/or SumStats Observation. The DNS
# reverse-lookup could adversely affect system performance.
2. Summary of Changes, New Code/File Structure
The new features described above triggered other changes in the structure of the Bro scripts, adding new subroutines to account for the new functionality and splitting apart source code files to keep it modular and manageable.
2.1. Split Apart 'main.bro' Script
Old: main.bro -> New: main.bro; bzar_config_options.bro
Default values for the _detect_option, _report_option, and _whitelist options are initialized in bzar_config_options.bro script.
2.2. RPC Indicators Grouped by ATT&CK Technique Identifier
The RPC indicators are now attributed to specific ATT&CK Technique IDs. Originally, the RPC indicators were grouped by ATT&CK Tactic. For example, RPC operations associated with Scheduled Tasks, Service Execution, and WMI were all grouped together as "ATTACK::Execution". Now, these are grouped by ATT&CK Technique instead. Allows for more granular control of toggling detection, reporting, and whitelisting.
The definitions/initializations for the Technique-specific groupings are moved from bzar_dce-rpc.bro into bzar_dce-rpc_consts.bro.
2.3. Split Apart 'bzar_dce-rpc.bro' Script
Old: bzar_dce-rpc.bro -> New: bzar_dce-rpc_detect.bro; bzar_dce-rpc_report.bro
The _detect script uses Zeek events from the DCE-RPC protocol analyzer to look for RPC indicators and then calls BZAR::rpc_txxxx_log subroutine.
The _report script contains the code for the various _log subroutines. Each ATT&CK Technique has its own _log subroutine.
2.4. Split Apart 'bzar_smb.bro' Script
Old: bzar_smb.bro -> New: bzar_smb_consts.bro; bzar_smb_report.bro; bzar_smb1_detect.bro; bzar_smb2_detect.bro
The _smb1_detect script uses Zeek events from the SMB protocol analyzer to look for indicators specific to SMB v1 and then calls BZAR::smb_txxxx_log subroutine.
The _smb2_detect script uses Zeek events from the SMB protocol analyzer to look for indicators specific to SMB v2 and then calls BZAR::smb_txxxx_log subroutine.
The _report script contains the code for the various _log subroutines. Each ATT&CK Technique has its own _log subroutine.
SMB-related constants/globals are moved into bzar_smb_consts.bro.
2.5. Changes to 'bzar_files.bro' Script
A toggle switch already existed to enable/disable Lateral Movement-related file extraction, per recommendation earlier this year from Murad's code review. Added new toggle switch to enable/disable reporting of Lateral Movement-related file extraction. Now, you can do the extraction, and not write to the Notice Log that the file extraction occurred. Helps reduce noise in the notice log.
2.6. Changes to '__load__.bro' Script
Added 'load' statements to load the new scripts described above.
#end CHANGES