{"id":13453733,"url":"https://github.com/mitre-attack/bzar","last_synced_at":"2026-02-18T09:01:49.600Z","repository":{"id":43295814,"uuid":"187091628","full_name":"mitre-attack/bzar","owner":"mitre-attack","description":"A set of Zeek scripts to detect ATT\u0026CK techniques.","archived":false,"fork":false,"pushed_at":"2024-06-26T16:32:59.000Z","size":121,"stargazers_count":614,"open_issues_count":7,"forks_count":83,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-10-31T04:48:38.241Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Zeek","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitre-attack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-16T19:47:16.000Z","updated_at":"2025-10-28T13:14:29.000Z","dependencies_parsed_at":"2024-10-28T20:34:41.683Z","dependency_job_id":"ef29d8e4-d72b-4aaf-94f7-d9257d18dd8d","html_url":"https://github.com/mitre-attack/bzar","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mitre-attack/bzar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre-attack%2Fbzar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre-attack%2Fbzar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre-attack%2Fbzar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre-attack%2Fbzar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitre-attack","download_url":"https://codeload.github.com/mitre-attack/bzar/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitre-attack%2Fbzar/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29574065,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T08:38:15.585Z","status":"ssl_error","status_checked_at":"2026-02-18T08:38:14.917Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:46.223Z","updated_at":"2026-02-18T09:01:49.581Z","avatar_url":"https://github.com/mitre-attack.png","language":"Zeek","readme":"# BZAR (Bro/Zeek ATT\u0026CK-based Analytics and Reporting)\n\n## 1. Introduction\n\nThe BZAR project uses the Bro/Zeek Network Security Monitor to detect ATT\u0026CK-based \nadversarial activity.\n\n[MITRE ATT\u0026CK](https://attack.mitre.org/) is a \npublicly-available, curated knowledge base for cyber adversary behavior, reflecting \nthe various phases of the adversary lifecycle and the platforms they are known to \ntarget. The ATT\u0026CK model includes behaviors of numerous threats groups.\n\nBZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers \nand the File Extraction Framework to detect ATT\u0026CK-like activity, raise notices, and \nwrite to the Notice Log.\n\n### BZAR and CAR\n\nBZAR is a component of the [Cyber Analytics Repository](https://car.mitre.org). It was originally located within that library, but due to requirements for Zeek packages it was moved to its own repository. It's still managed as a component of CAR.\n\n## 2. Tuning BZAR for Your Environment\n\nBZAR must be tuned for your specific operational envrionment.  For example,\nsome of the ATT\u0026CK-like activity that BZAR detects may be authorized and legitimate\nactivity in your environment. Therefore, these detections would produce lots of\nunnecessary entries in the Notice Log.  This can be tuned by the use of BZAR whitelists\nand by toggling on/off detection and/or reporting. See the CHANGES document for more \ninformation.\n\n## 3. Complex Analytics for Detecting ATT\u0026CK-like Activity\n\nThe BZAR analytics use the Bro/Zeek Summary Statistics (SumStats) Framework to \ncombine two or more simple indicators in SMB and DCE-RPC traffic to detect \nATT\u0026CK-like activity with a greater degree of confidence.  Three (3) BZAR \nanalytics are described below.\n\n### 3.1. SumStats Analytics for ATT\u0026CK Lateral Movement and Execution\n\nUse SumStats to raise a Bro/Zeek Notice event if an SMB Lateral Movement \nindicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or \nC$ only) is observed together with a DCE-RPC Execution indicator against \nthe same (targeted) host, within a specified period of time.\n\n#### Relevant ATT\u0026CK Techniques\n* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes), and\n* [T1570 Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/), and\n* One of the following:\n  * [T1569.002 System Services: Service Execution](https://attack.mitre.org/techniques/T1569/002/)\n  * [T1047 Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047/)\n  * [T1053.002 Scheduled Task/Job: At (Windows)](https://attack.mitre.org/techniques/T1053/002/)\n  * [T1053.005 Scheduled Task/Job: Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)\n\n#### Relevant Indicators Detected by Bro/Zeek\n* `smb1_write_andx_response::c$smb_state$path` contains `ADMIN$` or `C$`\n* `smb2_write_request::c$smb_state$path**` contains `ADMIN$` or `C$`\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n    * `svcctl::CreateServiceW`\n    * `svcctl::CreateServiceA`\n    * `svcctl::StartServiceW`\n    * `svcctl::StartServiceA`\n    * `IWbemServices::ExecMethod`\n    * `IWbemServices::ExecMethodAsync`\n    * `atsvc::JobAdd`\n    * `ITaskSchedulerService::SchRpcRegisterTask`\n    * `ITaskSchedulerService::SchRpcRun`\n    * `ITaskSchedulerService::SchRpcEnableTask`\n\n**NOTE:** Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.\n\n### 3.2. SumStats Analytics for ATT\u0026CK Lateral Movement (Multiple Attempts)\n\nUse SumStats to raise a Bro/Zeek Notice event if multiple SMB Lateral \nMovement indicators (e.g., multiple attempts to connect to a Windows Admin\nFile Share: ADMIN$ or C$ only) are observed originating from the same host, \nregardless of write-attempts and regardless of whether or not any connection\nis successful --just connection attempts-- within a specified period of time.\n\n#### Relevant ATT\u0026CK Techniques\n* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes)\n\n#### Indicators detected by Bro/Zeek\n* `smb1_tree_connect_andx_request::c$smb_state$path` contains `ADMIN$` or `C$`\n* `smb2_tree_connect_request::c$smb_state$path` contains `ADMIN$` or `C$`\n\n### 3.3. SumStats Analytics for ATT\u0026CK Discovery\n\nUse SumStats to raise a Bro/Zeek Notice event if multiple instances of \nDCE-RPC Discovery indicators are observed originating from the same host, \nwithin a specified period of time.\n\n#### Relevant ATT\u0026CK Techniques\n* [T1016 System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016/)\n* [T1018 Remote System Discovery ](https://attack.mitre.org/techniques/T1018/)\n* [T1033 System Owner/User Discovery ](https://attack.mitre.org/techniques/T1033/)\n* [T1069 Permission Groups Discovery ](https://attack.mitre.org/techniques/T1069/)\n* [T1082 System Information Discovery](https://attack.mitre.org/techniques/T1082/)\n* [T1083 File \u0026 Directory Discovery](https://attack.mitre.org/techniques/T1083/)\n* [T1087 Account Discovery](https://attack.mitre.org/techniques/T1087/)\n* [T1124 System Time Discovery](https://attack.mitre.org/techniques/T1124/)\n* [T1135 Network Share Discovery](https://attack.mitre.org/techniques/T1135/)\n\n#### Relevant Indicator(s) Detected by Bro/Zeek\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n  * `lsarpc::LsarEnumerateAccounts`\n  * `lsarpc::LsarEnumerateAccountRights`\n  * `lsarpc::LsarEnumerateAccountsWithUserRight`\n  * `lsarpc::LsarEnumeratePrivileges`\n  * `lsarpc::LsarEnumeratePrivilegesAccount`\n  * `lsarpc::LsarEnumerateTrustedDomainsEx`\n  * `lsarpc::LsarGetSystemAccessAccount`\n  * `lsarpc::LsarGetUserName`\n  * `lsarpc::LsarLookupNames`\n  * `lsarpc::LsarLookupNames2`\n  * `lsarpc::LsarLookupNames3`\n  * `lsarpc::LsarLookupNames4`\n  * `lsarpc::LsarLookupPrivilegeDisplayName`\n  * `lsarpc::LsarLookupPrivilegeName`\n  * `lsarpc::LsarLookupPrivilegeValue`\n  * `lsarpc::LsarLookupSids`\n  * `lsarpc::LsarLookupSids2`\n  * `lsarpc::LsarLookupSids3`\n  * `lsarpc::LsarQueryDomainInformationPolicy`\n  * `lsarpc::LsarQueryInfoTrustedDomain`\n  * `lsarpc::LsarQueryInformationPolicy`\n  * `lsarpc::LsarQueryInformationPolicy2`\n  * `lsarpc::LsarQueryTrustedDomainInfo`\n  * `lsarpc::LsarQueryTrustedDomainInfoByName`\n  * `samr::SamrLookupNamesInDomain`\n  * `samr::SamrLookupIdsInDomain`\n  * `samr::SamrLookupDomainInSamServer`\n  * `samr::SamrGetGroupsForUser`\n  * `samr::SamrGetAliasMembership`\n  * `samr::SamrGetMembersInAlias`\n  * `samr::SamrGetMembersInGroup`\n  * `samr::SamrGetUserDomainPasswordInformation`\n  * `samr::SamrEnumerateAliasesInDomain`\n  * `samr::SamrEnumerateUsersInDomain`\n  * `samr::SamrEnumerateGroupsInDomain`\n  * `samr::SamrEnumerateDomainsInSamServer`\n  * `samr::SamrQueryInformationAlias`\n  * `samr::SamrQueryInformationDomain`\n  * `samr::SamrQueryInformationDomain2`\n  * `samr::SamrQueryInformationGroup`\n  * `samr::SamrQueryInformationUser`\n  * `samr::SamrQueryInformationUser2`\n  * `samr::SamrQueryDisplayInformation`\n  * `samr::SamrQueryDisplayInformation2`\n  * `samr::SamrQueryDisplayInformation3`\n  * `srvsvc::NetrConnectionEnum`\n  * `srvsvc::NetrFileEnum`\n  * `srvsvc::NetrRemoteTOD`\n  * `srvsvc::NetrServerAliasEnum`\n  * `srvsvc::NetrServerGetInfo`\n  * `srvsvc::NetrServerTransportEnum`\n  * `srvsvc::NetrSessionEnum`\n  * `srvsvc::NetrShareEnum`\n  * `srvsvc::NetrShareGetInfo`\n  * `wkssvc::NetrWkstaGetInfo`\n  * `wkssvc::NetrWkstaTransportEnum`\n  * `wkssvc::NetrWkstaUserEnum`\n\n\n## 4. Simple Indicators for Detecting ATT\u0026CK-like Activity\n\nIn addition to the analytics described above, BZAR uses simple indicators \nwithin SMB and DCE-RPC traffic to detect ATT\u0026CK-like activity, although with \na lesser degree of confidence than detection via the SumStats analytics. \nThe BZAR indicators are grouped into six (6) categories, as described below.\n\n### 4.1. Indicators for ATT\u0026CK Lateral Movement\n\nRaise a Bro/Zeek Notice event if a single instance of an SMB Lateral \nMovement indicator (e.g., SMB File Write to a Windows Admin File Share: \nADMIN$ or C$ only) is observed, which indicates ATT\u0026CK-like activity.\n\n#### Relevant ATT\u0026CK Techniques\n\n* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes)\n* [T1570 Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/)\n\n#### Relevant Indicator(s) Detected by Bro/Zeek\n\n* `smb1_write_andx_response::c$smb_state$path` contains `ADMIN$` or `C$`\n* `smb2_write_request::c$smb_state$path**` contains `ADMIN$` or `C$`\n\n**NOTE:** Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.\n\n### 4.2. Indicators for File Extraction Framework\n\nLaunch the Bro/Zeek File Extraction Framework to save a copy of the file \nassociated with ATT\u0026CK-like Lateral Movement onto a remote system.  Raise \na Bro Notice event for the Lateral Movement Extracted File.\n\n#### Relevant ATT\u0026CK Techniques\n\n* [T1021.002 Remote Services: SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002/) (file shares only, not named pipes)\n* [T1570 Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/)\n\n#### Relevant Indicator(s) Detected by Bro/Zeek\n\n* `smb1_write_andx_response::c$smb_state$path` contains `ADMIN$` or `C$`\n* `smb2_write_request::c$smb_state$path**` contains `ADMIN$` or `C$`\n\n**NOTE:** Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet.\n\n### 4.3. Indicators for ATT\u0026CK Credential Access\n\nRaise a Bro/Zeek Notice event if a single instance of any of the following \nWindows DCE-RPC functions (endpoint::operation) is observed, which \nindicates ATT\u0026CK-like Credential Access techniques on the remote system. \n\n#### Relevant ATT\u0026CK Technique(s)\n* [T1003.006 OS Credential Dumping: DCSync](https://attack.mitre.org/techniques/T1003/006/)\n\n#### Relevant Indicator(s) Detected by Bro/Zeek\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n  * `drsuapi::DRSReplicaSync`\n  * `drsuapi::DRSGetNCChanges`\n\n### 4.4. Indicators for ATT\u0026CK Defense Evasion\n\nRaise a Bro/Zeek Notice event if a single instance of any of the following  \nWindows DCE-RPC functions (endpoint::operation) is observed, which \nindicates ATT\u0026CK-like Defense Evasion techniques on the remote system.\n\n#### Relevant ATT\u0026CK Techniques\n* [T1070.001 Indicator Removal on Host: Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)\n   \n#### Relevant Indicator(s) Detected by Bro/Zeek\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n    * `eventlog::ElfrClearELFW`\n    * `eventlog::ElfrClearELFA`\n    * `IEventService::EvtRpcClearLog`\n\n### 4.5. Indicators for ATT\u0026CK Execution\n\nRaise a Bro/Zeek Notice event if a single instance of any of the following\nWindows DCE-RPC functions (endpoint::operation) is observed, which \nindicates ATT\u0026CK-like Execution techniques on the remote system.\n\n#### Relevant ATT\u0026CK Technique(s)\n* [T1569.002 System Services: Service Execution](https://attack.mitre.org/techniques/T1569/002/)\n* [T1047 Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047/)\n* [T1053.002 Scheduled Task/Job: At (Windows)](https://attack.mitre.org/techniques/T1053/002/)\n* [T1053.005 Scheduled Task/Job: Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)\n\n#### Relevant Indicator(s) Detected by Bro/Zeek\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n    * `svcctl::CreateServiceW`\n    * `svcctl::CreateServiceA`\n    * `svcctl::StartServiceW`\n    * `svcctl::StartServiceA`\n    * `IWbemServices::ExecMethod`\n    * `IWbemServices::ExecMethodAsync`\n    * `atsvc::JobAdd`\n    * `ITaskSchedulerService::SchRpcRegisterTask`\n    * `ITaskSchedulerService::SchRpcRun`\n    * `ITaskSchedulerService::SchRpcEnableTask`\n\n### 4.6. Indicators for ATT\u0026CK Persistence\nRaise a Bro/Zeek Notice event if a single instance of any of the following\nWindows DCE-RPC functions (endpoint::operation) is observed, which \nindicates ATT\u0026CK-like Persistence techniques on the remote system.\n\n#### Relevant ATT\u0026CK Technique(s):\n* [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](https://attack.mitre.org/techniques/T1547/004/)\n* [T1547.010 Boot or Logon Autostart Execution: Port Monitors](https://attack.mitre.org/techniques/T1547/010/)\n\n#### Relevant Indicator(s) Detected by Bro/Zeek\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n    * `ISecLogon::SeclCreateProcessWithLogonW`\n    * `ISecLogon::SeclCreateProcessWithLogonExW`\n    * `IRemoteWinspool::RpcAsyncAddMonitor`\n    * `IRemoteWinspool::RpcAsyncAddPrintProcessor`\n    * `spoolss::RpcAddMonitor` # a.k.a. winspool | spoolss\n    * `spoolss::RpcAddPrintProcessor` # a.k.a. winspool | spoolss\n\n### 4.7. Indicators for ATT\u0026CK Impact\n\nRaise a Bro/Zeek Notice event if a single instance of any of the following  \nWindows DCE-RPC functions (endpoint::operation) is observed, which \nindicates ATT\u0026CK-like Impact techniques on the remote system.\n\n#### Relevant ATT\u0026CK Techniques\n* [T1529 System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529/)\n   \n#### Relevant Indicator(s) Detected by Bro/Zeek\n* `dce_rpc_response::c$dce_rpc$endpoint + c$dce_rpc$operation` contains any of the following:\n    * `InitShutdown::BaseInitiateShutdown`\n    * `InitShutdown::BaseInitiateShutdownEx`\n    * `WindowsShutdown::WsdrInitiateShutdown`\n    * `winreg::BaseInitiateSystemShutdown`\n    * `winreg::BaseInitiateSystemShutdownEx`\n    * `winstation_rpc::RpcWinStationShutdownSystem`\n    * `samr::SamrShutdownSamServer` # MSDN says not used on the wire\n\n## 5. Additional DCE-RPC Interfaces and Methods\n\nThe BZAR project adds 144 more Microsoft DCE-RPC Interface UUIDs\n(a.k.a. \"endpoints\") to the Bro/Zeek DCE_RPC::uuid_endpoint_map.\n\nThe BZAR project also adds 1,145 Microsoft DCE-RPC Interface Methods \n(a.k.a. \"operations\") to the Bro/Zeek DCE_RPC::operations.\n\nSee the Bro/Zeek script 'bzar_dce-rpc_consts' for more information.\n\nMost of the DCE-RPC endpoints and operations defined in\n'bzar_dce-rpc_consts' were merged into Zeek's main product line,\nversion 3.2.0-dev.565 | 2020-05-26 21:55:54 +0000.  Ref: https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek#L92\n\n## 6. References\n1. Microsoft Developer Network (MSDN) Library. MSDN Library \u003e Open Specifications \u003e Protocols \u003e Windows Protocols \u003e Technical Documents. https://msdn.microsoft.com/en-us/library/jj712081.aspx\n2. Marchand, \"Windows Network Services Internals\". 2006. http://index-of.es/Windows/win_net_srv.pdf\n\n## 7. Contributing\n\nContributions are welcome. This code is licensed under the same terms as the CAR repository. See the [LICENSE](LICENSE.txt) file and the Developer Certificate of Origin certification in the [CONTRIBUTING](/CONTRIBUTING.md) file in the root of the repository.\n\n\nThe information in this README file is current, as of 10/09/2020.\n\n*Copyright 2018 The MITRE Corporation.  All Rights Reserved.  \nApproved for public release.  Distribution unlimited.  Case number 18-2489.*\n","funding_links":[],"categories":["Threat Detection and Hunting"],"sub_categories":["Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre-attack%2Fbzar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitre-attack%2Fbzar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitre-attack%2Fbzar/lists"}