: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE


  • Is the repository going to be maintain and updated

e.g new attacks and categories techniques ?

To be determined. We may do some small updates in the near future. Contributions from the Zeek community are welcome, and I believe we’ll be able to incorporate community contributions.

  • Second isn’t possible to detect pth attack throught

bzar_smb.bro ?

Pass-the-Hash (pth) was not in the initial scope of the BZAR work. I think it would be great to add it, but I haven’t done a market survey to see if anyone else has already developed pth detection for Zeek.



We’ll try to crack something out around PTH, if nothing exists already. We’ll post it here when done.

We have the pcaps from the lab and live engagements. Should be able to knock that out.