: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Fernandez_Mark_I · March 28, 2019, 1:27pm

Alex,

Is the repository going to be maintain and updated

e.g new attacks and categories techniques ?

To be determined. We may do some small updates in the near future. Contributions from the Zeek community are welcome, and I believe we’ll be able to incorporate community contributions.

Second isn’t possible to detect pth attack throught

bzar_smb.bro ?

Pass-the-Hash (pth) was not in the initial scope of the BZAR work. I think it would be great to add it, but I haven’t done a market survey to see if anyone else has already developed pth detection for Zeek.

Cheers,

Mark

Patrick_Kelley · March 28, 2019, 1:55pm

We’ll try to crack something out around PTH, if nothing exists already. We’ll post it here when done.

We have the pcaps from the lab and live engagements. Should be able to knock that out.

Topic		Replies	Views
Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE Zeek	6	266	May 6, 2022
BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) Zeek	1	196	May 6, 2022
UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE Zeek	1	92	May 6, 2022
Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE Zeek	2	84	May 6, 2022
BZAR Update - Config Options for Detection, Reporting, and Whitelisting Zeek	1	145	May 6, 2022

: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Related Topics