Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

All,

MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like adversarial activity. The project is called BZAR – Bro/Zeek ATT&CK-based Analytics and Reporting.

MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups.

BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, correlate certain techniques, and write to the Notice Log.

BZAR is publicly released as open source, under MITRE case number 18-2489. It is available for download at the following URL:

• https://github.com/mitre-attack/car/tree/master/implementations/bzar

For more information on MITRE ATT&CK, visit https://attack.mitre.org.

Mark I. Fernandez

The MITRE Corporation

mfernandez@mitre.org

P.S. It does not yet support the Bro/Zeek Package Manager (this is on the todo list).

Nice work, thanks for sharing!

Seconded! This is great, thanks for sharing Mark! Are guys planning on turning this into a package and adding it to the package manager?

https://bro-package-manager.readthedocs.io/en/stable/package.html

   .Seth

Hi Seth, yes, that is on the todo list. Hopefully, I'll have a package for it and add it to the package-manager soon.

Mark

Mark,

Thank you so much for sharing this.

~Amber

Mark,

Is this developed for Bro/Zeek 2.5.5? I'm getting errors when attempting to load this in Bro/Zeek 2.6.1.

v/r
Gary W. Weasel, Jr.