How to flag DRSUAPI_REPLICA_ADD signature ?

asked 2018-06-28 15:46:07 +0000

Eliott
1 ●1 ●1

updated 2018-06-28 15:46:46 +0000

Hi,

I'm currently working on a way to identify and block DC Shadow attack with and IDS/IPS.

After some tests I'm able to execute DC Shadow attack and capture the traffic from the client to the Domain Controller. Now I'm trying to identify and extract a generic signature to identify the operation "DRSUAPI-REPLICA-ADD". https://ibb.co/hf7dAT

At the moment I'm just able to extract the full signature with data so it's just blocking DC Shadow attack with specific parameters.

Do you have any ideas to identify the "DRSUAPI-REPLICA-ADD" itself without associated datas?

Thanks for your help.

edit retag flag offensive close merge delete

add a comment

answered 2018-06-28 17:47:21 +0000

Jaap

13730 ●684 ●115

Right click on 'Operation', Apply as filter, Selected.

edit flag offensive delete link

Comments

Thanks but it just allow to filter the "DRSUAPI-REPLICA-ADD" in wireshark. The purpose is to extract a generic hexadecimal signature to be able to use it with an IPS custom rule.

As I can see, we can identify it with the "Opnum :5" value in the DCE/RPC request. I'm trying to identify a unique generic signature to detect a DCE/RPC request with this specific Opnum value. https://ibb.co/inHYCJ

Any ideas ?

Eliott ( 2018-06-29 10:11:33 +0000 )edit

Have you looked at the highlighted binary data?

Jaap ( 2018-06-29 11:23:56 +0000 )edit

Yes I did. But I can only get the DRSUAPI-REPLICA-ADD with encrypted stub data. The problem is if I change datas within my DC Shadow attack, the encrypted stub data change so it's a new signature and it's not detected by the IDS. That's why I'm trying to find a generic signature just to identify the "DRSUAPI-REPLICA-ADD" into a packet.

Do you know how wireshark is able to detect that the protocol used is DRSUAPI ?

Eliott ( 2018-06-29 12:10:59 +0000 )edit

Do you know how wireshark is able to detect that the protocol used is DRSUAPI ?

Without a proper capture file I'm sure I won't.

Jaap ( 2018-06-29 12:51:52 +0000 )edit

Here is an archive with 2 different packet capture file. https://nofile.io/f/1P4DNYj2qOS/captu...

Eliott ( 2018-06-29 14:01:15 +0000 )edit

If you take the first capture and filter on dcerpc.cn_ctx_id == 0, you'll see in packet 428 a Context being created, with ID 0, which is mapped to DRSUAPI. So when the DCERPC packet in packet 449 comes by it's in that protocol. The Opnum 5 is then DRSUAPI_REPLICA_ADD.

At least that is how I read it, a DCERPC protocol specialist may point out other relevant details. In short, there seems to be a context created, something that may not be possible in your setup.

Jaap ( 2018-06-29 21:52:08 +0000 )edit

Thanks I'll try to explore this way to see if I'm able to follow the TCP stream from the creation of the context to the DRSUAPI_REPLICA_ADD request and then block it.

By the way, do you know how could I identify DCE/RPC protocol in a TCP packet ?

Eliott ( 2018-07-02 09:06:21 +0000 )edit

Well, the DCERPC dissector uses a function called is_dcerpc(), which:

Checks that there are enough bytes in the stream to contain the common header (whatever that may be)
Checks that the first byte indicates 5 (major version)
Checks that the second byte indicates 0 or 1 (minor version)
Checks that the third byte being less that the RTS pdu type

Jaap ( 2018-07-02 12:20:49 +0000 )edit

Thanks I'm going to try to detect DCE/RPC by identifying those values

Eliott ( 2018-07-02 14:14:31 +0000 )edit

add a comment

How to flag DRSUAPI_REPLICA_ADD signature ?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to flag DRSUAPI_REPLICA_ADD signature ? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to flag DRSUAPI_REPLICA_ADD signature ?