First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to flag DRSUAPI_REPLICA_ADD signature ?

Hi,

I'm currently working on a way to identify and block DC Shadow attack with and IDS/IPS.

After some tests I'm able to execute DC Shadow attack and capture the traffic from the client to the Domain Controller. Now I'm trying to identify and extract a generic signature to identify the operation "DRSUAPI-REPLICA-ADD". https://ibb.co/hf7dAT

At the moment I'm just able to extract the full signature with data so it's just blocking DC Shadow attack with specific parameters.

Do you have any ideas to identify the "DRSUAPI-REPLICA-ADD" itself without associated datas?

Thanks for your help.

Eliott's avatar
1
Eliott
asked 2018-06-28 15:46:07 +0000, updated 2018-06-28 15:46:46 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Right click on 'Operation', Apply as filter, Selected.

Jaap's avatar
13.7k
Jaap
answered 2018-06-28 17:47:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks but it just allow to filter the "DRSUAPI-REPLICA-ADD" in wireshark. The purpose is to extract a generic hexadecimal signature to be able to use it with an IPS custom rule.

As I can see, we can identify it with the "Opnum :5" value in the DCE/RPC request. I'm trying to identify a unique generic signature to detect a DCE/RPC request with this specific Opnum value. https://ibb.co/inHYCJ

Any ideas ?

Eliott's avatar Eliott (2018-06-29 10:11:33 +0000) edit
more
  • delete

Have you looked at the highlighted binary data?

Jaap's avatar Jaap (2018-06-29 11:23:56 +0000) edit
more
  • delete

Yes I did. But I can only get the DRSUAPI-REPLICA-ADD with encrypted stub data. The problem is if I change datas within my DC Shadow attack, the encrypted stub data change so it's a new signature and it's not detected by the IDS. That's why I'm trying to find a generic signature just to identify the "DRSUAPI-REPLICA-ADD" into a packet.

Do you know how wireshark is able to detect that the protocol used is DRSUAPI ?

Eliott's avatar Eliott (2018-06-29 12:10:59 +0000) edit
more
  • delete

Do you know how wireshark is able to detect that the protocol used is DRSUAPI ?

Without a proper capture file I'm sure I won't.

Jaap's avatar Jaap (2018-06-29 12:51:52 +0000) edit
more
  • delete

Here is an archive with 2 different packet capture file. https://nofile.io/f/1P4DNYj2qOS/captu...

Eliott's avatar Eliott (2018-06-29 14:01:15 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer