Ask Your Question

How to flag DRSUAPI_REPLICA_ADD signature ?

asked 2018-06-28 15:46:07 +0000

Eliott gravatar image

updated 2018-06-28 15:46:46 +0000


I'm currently working on a way to identify and block DC Shadow attack with and IDS/IPS.

After some tests I'm able to execute DC Shadow attack and capture the traffic from the client to the Domain Controller. Now I'm trying to identify and extract a generic signature to identify the operation "DRSUAPI-REPLICA-ADD".

At the moment I'm just able to extract the full signature with data so it's just blocking DC Shadow attack with specific parameters.

Do you have any ideas to identify the "DRSUAPI-REPLICA-ADD" itself without associated datas?

Thanks for your help.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-06-28 17:47:21 +0000

Jaap gravatar image
edit flag offensive delete link more


Thanks but it just allow to filter the "DRSUAPI-REPLICA-ADD" in wireshark. The purpose is to extract a generic hexadecimal signature to be able to use it with an IPS custom rule.

As I can see, we can identify it with the "Opnum :5" value in the DCE/RPC request. I'm trying to identify a unique generic signature to detect a DCE/RPC request with this specific Opnum value.

Any ideas ?

Eliott gravatar imageEliott ( 2018-06-29 10:11:33 +0000 )edit

Have you looked at the highlighted binary data?

Jaap gravatar imageJaap ( 2018-06-29 11:23:56 +0000 )edit

Yes I did. But I can only get the DRSUAPI-REPLICA-ADD with encrypted stub data. The problem is if I change datas within my DC Shadow attack, the encrypted stub data change so it's a new signature and it's not detected by the IDS. That's why I'm trying to find a generic signature just to identify the "DRSUAPI-REPLICA-ADD" into a packet.

Do you know how wireshark is able to detect that the protocol used is DRSUAPI ?

Eliott gravatar imageEliott ( 2018-06-29 12:10:59 +0000 )edit

Do you know how wireshark is able to detect that the protocol used is DRSUAPI ?

Without a proper capture file I'm sure I won't.

Jaap gravatar imageJaap ( 2018-06-29 12:51:52 +0000 )edit

Here is an archive with 2 different packet capture file.

Eliott gravatar imageEliott ( 2018-06-29 14:01:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-28 15:46:07 +0000

Seen: 28 times

Last updated: Jun 28