Conversation
Contributor
Author
|
Addinf IP called an RPC method via Zeek or EID 5712 relationship_id: REL-2022-0188
name: IP called RPC Method
contributors:
- Hamza OUADIÂ @Cyb3rSn0rlax
attack:
data_source: Network Traffic
data_component: network connection creation
behavior:
source: ip
relationship: called
target: rpc method
security_events:
- event_id: dce_rpc_request
name: DCE-RPC Operation.
platform: Zeek
audit_category: null
audit_sub_category: null
log_channel: null
log_provider: null
- event_id: 5712
name: A Remote Procedure Call (RPC) was attempted.
platform: Windows
audit_category: Process Tracking
audit_sub_category: RPC events
log_channel: null
log_provider: null
refenrences:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712
note:
- It appears that the event id 5712 event never occurs. |
made num_id a dictionary instead of a list. Keys of dictionary: Years Values of dictionary: List of numbers for each year
Deleted relationship ID. No need to add relationship since ossemDM.py script will add relationship id after the PR is merged :D
Contributor
|
We need to remove 5712 from the RPC file and create another one to also cover enpodint/host RPC ETW events. SilkETW would be easy to use for a basic scenario. |
- updated schema for both events - I need to validate if user and process context of event 5712 could be used to generate new relationships: user called RPC method, process called rpc method - I need to validate schema for dce_rpc event and potential change in behavior to: rpc method called from ip or port - I need to validate attack mapping section
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support for current year