zeek icon indicating copy to clipboard operation
zeek copied to clipboard
verified publisher icon zeek

Logging DCE_RPC stub for selected events ?

Open vbr-cts opened this issue 4 years ago • 3 comments

Hi. I am not quite sure how to go about this, so here's my problem: zeek logs the DCE/RPC calls, which is great. However we have no idea what the arguments were. If we are looking at things like lateral movement like PsExec, we can see a service was created and started, but not what that service was.

The awesome work at #1182 adds the stub we might need to events, and we can grab it there. I would like to have that data available in logs for analysis. We are using zeek as a sensor, but a lot of our detection logic is downstream.

I don't think logging that field for all calls makes sense. But I feel like it would be nice to be able to log it for a given whitelist of endpoints/methods ?

There's a case to be made for actually unmarshalling the stub, but I am not sure how we could represent complex data types in the logs. Even wireshark does not seem to decode everything we are interested in, so I'm guessing there's no other way than hooking in the IDL for all the endpoints we want, and ideally doing this through binpac/spicy. Simple pattern matching on the stub is an acceptable workaround for us hence the "log the stub" approach.

vbr-cts avatar Jun 03 '21 17:06 vbr-cts

I'm kind of thinking this might work best through an external package that adds code for what you'd like to see logged.

rsmmr avatar Jun 23 '21 14:06 rsmmr

Hi. I've been working on this, as suggested, through an external package. I've encountered two issues so far:

Issue 1: in DCE-RPC response dce_rpc_response is called before dce_rpc_response_stub. This means that the code that outputs the log and deletes c$dce_rpc gets triggered before my callback has a chance to add that data to the log

Issue 2: I'd like to access the DCE_RPC_Header structure, and specifically the auth_length field. Is there a canonical way to access this data or the PDU from scripts without patching the pac files and adding them to an event ? Maybe even accessed the parsed auth header ? The idea is to avoid logging encrypted data.

vbr-cts avatar Jun 30 '21 16:06 vbr-cts

@vbr-cts How's this going? is there an external package you can link to here just for the historical information? Can I close out this issue?

timwoj avatar Aug 09 '22 20:08 timwoj