In part one, we looked at the technical setup needed to approach this kind of analysis. This time, we are going to walk through the investigation itself, with a question that is a bit more serious than it sounds: did an attacker manage to steal the secret of the famous Szechuan sauce? ...
This is serious: someone may have stolen the secret of Szechuan sauce - a millennia-old mystery, very well kept. What does it taste like? I have no idea, but we’ve been tasked with finding out whether that secret was compromised or not. Let’s put ourselves in the shoes of a detective for this investigation. One constraint for us: we’ll use only the network capture to conduct our investigation. In this article we’ll see how crucial network observation is for understanding an attack, and we’ll learn how to extract and load data with Zeek and Python. ...
DCE/RPC (Distributed Computing Environment / Remote Procedure Call) is a protocol that is often used in the enterprise. And with good reason: it’s at the heart of Active Directory and Microsoft environments. The extensions added by Microsoft form MSRPC. How DCE/RPC works Note that there are other well-known remote procedure call systems, such as gRPC (Google implementation) - which is based on a modern stack (HTTP/2 + Protobuf). ...