From 13960a98ad3c7f441d87d593eff0234fe786808a Mon Sep 17 00:00:00 2001
From: FOX-DS <datascience@fox-it.com>
Date: Tue, 14 Sep 2021 02:59:04 -0400
Subject: [PATCH 1/2] Fix protocol forwarding in dce_rpc-auth

---
 .../protocol/dce-rpc/dce_rpc-auth.pac         | 25 +++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
index d413abd39e..e2c094186a 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
@@ -6,11 +6,13 @@ refine connection DCE_RPC_Conn += {
 	%member{
 		zeek::analyzer::Analyzer *gssapi;
 		zeek::analyzer::Analyzer *ntlm;
+		zeek::analyzer::Analyzer *krb;
 	%}
 
 	%init{
 		ntlm = 0;
 		gssapi = 0;
+                krb = 0;
 	%}
 
 	%cleanup{
@@ -24,24 +26,43 @@ refine connection DCE_RPC_Conn += {
 			ntlm->Done();
 			delete ntlm;
 			}
+		if ( krb )
+			{
+			krb->Done();
+			delete krb;
+			}
+
 	%}
 
 	function forward_auth(auth: DCE_RPC_Auth, is_orig: bool): bool
 		%{
-		switch ( ${auth.type} )
+		switch ( ${auth.type} )  // https://social.msdn.microsoft.com/Forums/en-US/44212c32-a4f6-4960-8799-0e00821650f4/msrpc-and-dcerpc-security?forum=os_windowsprotocols
 			{
 			case 0x09:
 				if ( ! gssapi )
-					gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
+					gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn());
 				if ( gssapi )
 					gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
 				break;
+			case 0x10:
+				if ( ! krb )
+					krb = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
+				if ( krb )
+					krb->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
+				break;
+
 			case 0x0a:
 				if ( ! ntlm )
 					ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
 				if ( ntlm )
 					ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
 				break;
+                        case 0x44:
+				zeek_analyzer()->Weird("netlogon_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
+				break;
+                        case 0x0E:
+				zeek_analyzer()->Weird("tls_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
+				break;
 			default:
 				zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
 				break;

From fef4531f78a65fd3f08ac38bac7278d5abef1ad1 Mon Sep 17 00:00:00 2001
From: FOX-DS <datascience@fox-it.com>
Date: Tue, 14 Sep 2021 02:59:04 -0400
Subject: [PATCH 2/2] Fix protocol forwarding in dce_rpc-auth

---
 .../dce_rpc.log                                  |  11 +++++++++++
 .../weird.log                                    |  11 +++++++++++
 .../ntlm.log                                     |  11 +++++++++++
 .../btest/Traces/dce-rpc/dce_rpc_netlogon.pcap   | Bin 0 -> 3340 bytes
 testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap   | Bin 0 -> 2644 bytes
 .../base/protocols/dce-rpc/dce_rpc_netlogon.zeek |   7 +++++++
 .../base/protocols/dce-rpc/dce_rpc_ntlm.zeek     |   5 +++++
 7 files changed, 45 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
 create mode 100644 testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap
 create mode 100644 testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
 create mode 100644 testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek

diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
new file mode 100644
index 0000000000..d4feda9392
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/dce_rpc.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dce_rpc
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
+#types	time	string	addr	port	addr	port	interval	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.10.121	58774	10.10.10.100	49676	0.000758	49676	netlogon	NetrLogonSamLogonWithFlags
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
new file mode 100644
index 0000000000..97fcc0b7e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_netlogon/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.10.10.121	58774	10.10.10.100	49676	netlogon_dce_rpc_auth_type	68	F	zeek	DCE_RPC
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
new file mode 100644
index 0000000000..cb6a77ebf5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce_rpc_ntlm/ntlm.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntlm
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	server_nb_computer_name	server_dns_computer_name	server_tree_name	success
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.10.10.121	58772	10.10.10.120	54784	-	-	-	CBTH-WS-2	CBTH-WS-2.blackclover.local	blackclover.local	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap b/testing/btest/Traces/dce-rpc/dce_rpc_netlogon.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3de5d2c9836e3a0cf6c426b5ae75a9e493a899b9
GIT binary patch
literal 3340
zcmb7Hc{r478-Fpx7-bnUwnivMqcIDEk!6gfp(IR7VvJ=NCX;<h$&w{W5uH*bBwDN~
z30YD^%9^ExC{78Hqvd;FIo~;7*ExTD_jNtn_1w?B{O;%az0V656NA?S0ANGWl;Z=(
zAFIL-=mJ*$fgT)nI}J3I%kxmTx6wee^{{$+WSk`(O|^AE8>8`BM4W|XI9fe~9q5hT
zy_-hV!fOBmfEu7f#4_1|Xa?J##SJ-x*2baLwe@g%8e7oJAU21E)+Q5l2%tY0fCtQi
z{0_Ri9Ym`$*gTIz-flc!4KzWEs6|Ap2d|7+9M;R7K=9Nd;B?%XOwh%O)Pp?~^ZC^g
zvc?bEb2jq`X1jYh@31vL5TQ*a5OmE*+E`sYnTRElO-!+R1amVi&O}?+R9lybCsR$M
z05E1Lz|`7=N~c=ybfno~chKw^JMHLz2<Slww2$~dast&?VuH?5pa4PHQzr<(w<7x>
zkXL|4XgpD-0|<>xiT8y88o-C3AdP_|LT4u6aCjKlSmT+E2yxO2%CK5J%vKi0p8x{@
zK|pkkIB0DQpn#bIK$lFH3}jsZ>cB`t9f^`e$&PCu0X`L)SLZV19Jc>>(v(7*#KlQr
zKvUe(6*|ZFFS-Q5fPg!7x>m<fl`lS?Z`Xm&^Z$$P7KLh#WR@}Qr|+MYFoRNFmG$8G
zH$(xdsl6qZu^WpAM422ncVBl7H`s$G$l<!XaR8COc7I|98R}oP1YwtsL-tjHYpDH1
z4eUV#A?$!6gCPjJjAIaP5Ppq_@k|IeancalRu+x?E&*YOSi$ZHSj#`Lb5{bu>Js&I
zbahrR<X_oYb^FWkPuK{oBL9mj@Fxzd#b4cq@`3WY1XdCfD6f0k$iBni8frf?`s+@>
z4pO9{yiUdZ@0}PzgSo{*cOp+3$_o&H?t~?byb}EwSP(t{3z%?G@7Wybb}3n5V;_x3
z@5?r6_7SZ&wVOWFM(#@US&Lz@THeWLTqu%Zzx_aIbh!AIs2;y%?RTH)C24`pg4{{D
zUa@BdVrN~iCJg9oRxI2SKOZN}GnJ^z%Lw288@DOa|JZ!WuEfZ-gXWvps1-+@`u_Ov
zno50M9@7u*L+E&y?)#-zAmVGJh+2Ecbdu`nzHm;gstrE>Ug{#2-AKvX^>kY3@_~e=
zZ+tJVb}-A9tgUWujH|vaomLz>MIMG<yhVxeHS;U#WOjXwEyQ0N{Sa5L;x&epax$(F
z!z^P6IgHTyvB7&X=AQ->^-EPOQsHXJDA~Y>JACvgVa3t@+81kpTL-Q^i9a0a{4Jn;
z>kU6d>%D4&r%1ET4tz_ST`H}P@|^tn&O?`%_9MZ!oICS-?eY$Z>~$ARev*70R!K$P
zxj3z|J!Hd<yZgvpKMJP_&D4Q;{=Kahq`bh8iW=q@gT5AK18&5Cz0h`?kUX27Szw1R
zRcNny!Am;Jp&#%;<-V#pG(lb}P<xOpGl}t}%Li{y5U&6bNNv<mwORdQO@3O%k>x?-
zN1htrj;(jwbhjLJ^Q9e2Imzph<#5vIw5AK}%H-?8+ujWQ@KI(w=c~MYILfFxh3@C8
z#u8weX%;b920q^zw>p}{N=4_^cC_V4F%;Up4Do*HwD7oa)$50FVHUY0ztGJYGwMdZ
z=8aNDjk`E0o?21wj~BYQT-_jA>7CuYNB&~3&Kk>h<f}y9Bed@QCmYNUL=BS_tXort
zEemRSB`OCuXPAUZ#S|DiH8^h5UBuZsNc3!2KSe9acq{Ee8gEl5G*m{5)aD)(N)Cvp
z%h1EVm0Ff6GtP7n3$1Ruoo|kqUcWUfCd<vd?W!8rZU8a)V5#TXi1(Pv%^o$$X;+@t
zYss4$`WL)yoITEzjmwL^DGSe<nenzK8Tw3jM6%z)35J`NwfJ@4MNhmn%<6qAcXe|4
zjj9B<pTm84)#?7V(3VFOl5I&B<HGo7&lnS;sOAx3E84%naywy)AopysQquhJZ}_>A
zd|z+VZEi&+0>wGAYhwj3yu}djI?sMeGooVlbl+=MQn(`4)Kfm>$0Ljs&38YIT#Qce
z`WU#jxX3^Hf}DEn<#;ztVr6+APK3k>{;Fs|6CHM&3h>~nY`b02g&X^D+uLu?mC@Ma
z3zV0q9FAI?tJ6yD$F4uqxL;N&_kyl>M##YiE9JZ4IWfBuG3C9dzmXO@ty$Zqd}NAd
zw}zD=@^P|M$!*cwJyRbpeAy8kir2Wqr1ncwHH4`!rdTFMXriQg`Rv-mweMOJYU<@C
zLq_m+LSiOI^^`7OtHhcKAs|u#zhiRXR~!I12b?}Gj09z);LZ)1uj3v!4WY_y`2zEb
zsKR`HO;W{CDK~O8@|vb8Ywnk?!T2=&<Ryro(*DLz<wRtkKe&e4ue=L$H5gvur$@i=
zZmc-zr8mgC;tCXqpZHh!iM+~B{VV(g0P(lh-R!k@A@62pz+y^^dy3Eb)~Z*8e_j%H
z%|<#o*?cyWKOWX)?Wq#0l|l<StYlD&cKp2)?O%!#i?=(Uiu0YPzkV|^x=C(m=J#(Q
zp7`>R8|hK{yF+hyYR|YT-;#?y7JnpLKIg&gz~_jdC8ySaIsTYOI|ESpC5?pruVqz(
zzsn7j#Q(rN?X$5tf2ERU_(u?}K4@M!QX%?i#0DLB*|Pp15_{s^CRlUG9g?uD>)yFk
zOQ239L4T{%{I}2vfxxd<h8v%2iEL7|e$t>8x~}1mgjB1AHw9jDl`P?XX8hy1Rhg6@
zqngv6?``DkasnAqG1t>>#Wpr?qErtgD;}#v3^ex)7%h6@`8$kGnbJ$vBPY%#D!8B+
z&7bOCZaK~r&ENl}`h4Y$6H~9|O{eM<PkEwmuUn9x>1O8^+c*?D$me+Bt6C46mvdbP
z3;N0mcff7-Rn3%ecXcnxIv5j=*dJB=Zu`_`LC|RNme+2I^GO5RC4;V0lF3`DIfFr4
zi{&1>^*G2>ecIfb5OtNN;Nz2R;ra|S6D+vDrP8+a-RP??QPmwAigfoD&U46HF#7Ko
zk&?)TxaWkonz2W8&oyk)jZ9^ZB%oTmk22<L`gql`_Z`>h%Aih&Kg#3FmGGQUCwuEP
z;I5@sYa@n65mDA6V;4^6^WWcE71V82s~6{nPYBMTwXynwF?qmDPs(p~FLGPwi;X2;
zEhQH3uujc%H7s$KJ}DkHe)fu0e99T-#|s5|?y9W!`LEt}X4di=gqxO3sF(WcUmsV`
zm%1T(9Zki2wDh10<Uc?m`64SYUWrG2a<UW}*c!t^EyI}R@SyST^olPrK-SPip`e+i
zKwdkk3#IftUyW}%jp6R2<UA`{#FZkZ!TgO#9`4FPGyNaxotn{!>%-h;uFlnzWXN?J
z?mNkPXzk!^di#hlJ*N6`gh^`V#4`@Ukye)bW_sh;e0oo*t&M@m>o<T@VNA?nu`t%2
z@<2YFBB?HgAD_*Rp5OQ`Jc8c*;N`V+776Bvlxn=fVE9I(!~<tT;F@+sL4mg?V&lF}
zpBxR~(eq>P^=@#|Mq(#Q^)&?<F=>{97NV-z9*F@nnn!<6zH#n+z%H^^gIZaQg~V9o
zxvr{MJlh3XRauHz#znU;RJZq&HM(1EB}GnVi*vZ0?~}4x#8eZMa*PjTi<8#5C3xNm
z{IXmvaiv}8>7{J}uF7-g4)sOUrCmJhU{fkOSwHB7{ot{2(km%<Xfe&PzP&?FQZ;pZ
zn|zHcGs#kN;aC&Xv-J<x)6&<i#02+LMGI9d8y0t^7+#+<{aSUyOh_1_qyO?zf(v0m
zGvQeGE?^cOzB9Llp`-b=t=ukYMd=?qh=;(}4ZvC5U3o)a59sFu6aXqW2>d(Y9YP=E
vaf8_`4;GpkhGzZzk>Ce}SKd|!R6=?MR_Ac=91NWAgr0t&2!iv!3*_TJ=rQq~

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap b/testing/btest/Traces/dce-rpc/dce_rpc_ntlm.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fc5574256b799f93e829d1d295b21e3d058b8841
GIT binary patch
literal 2644
zcmdUxeP~lx6u{4Wc}d%}U1Jk#t!{g@b0*e=myb3H7BNZF4_edEv`vLNn<klNrj1Qv
zovTt8x8fIQS(!QnTV)I;+nn<YhptX=48|0MR&cN(lL<Pfe+>qkJLl!4W+j6DxpTSq
z-1~CRx#zs!xk;48#mXrFSW{PB!JvL32@6(e9!Q3x+IAi9ip9g)jx{<yV%OX4HleA7
zcX>Pc)x61I5gMD`;k8>M$&I|v=e8J3I*`FqsI}<(B1zsK83@I;CU~R3YmIinu3N$P
zZHYufywPT^HRE|4n4o@3|K?y|Gq3eW;^D-`Kzx&qHybPl3$Gm#wO-I~2%61r)|!Rd
zU|$~|A<7hv6!TF@lQ$Oq_0)%lBEfKv$J?-e*yu8wt@SlVz13v1=q)yfQ*Spn)awO@
z(dsl>Ehd}GxdSj}H8@)xt`=8oTbH|C?{Rnd+uB>808db$|DqSj3Ac+ek==d@5T*OF
z94bmQGjHLVIuz+%-}4QQrz#iZgBzHhsxzx$Cz>dg%D1s^n})mNYB+GobF(w-E$7(f
zJ^(os=Bd!w!tBRP0dADtC_{zOlQ7_tPMZ?f&_Ie?w|npX#oy06b}t{QRZYEQ$2?=N
zSw1*;@v^mf*TS>6|2X<XExBW#v3JGd^U>17tKI3d(<BPybRt0SyL%LhY6T;gvlAo2
zjtN09C<>O3Hl_Y7Wms06j;5zd+{G~|E6cv3csf@eZ{`|%-3lezq&Lbq5Nal5EF+)9
zL3O-BD5urV$$3J_qGCs=KQa(WB;$c(EPkSRQDGL!Gy`JMBgU3y(S|JQa7{f;0mmOJ
zTZjc{hp!Tgu9uNRh<HHvH1jaoJ9ze=cE48xu(m~VCHf@aze*2?b5E&e<_fN<&-zB%
zqVKN`Sje}th!~UayW`V9jMZ@PvA3Mpc-x6{k;r);ESTlobx9>xK#k36HA%d4vt>mK
zDV!`No3+Y%h|>(S$@zkMLZ)P7lSSDia0lf^IX=QpLOF73&CGS2Q^y?tQ_FCr>TIrB
zKKK~(d_=XZyFfX<B<6SonrCw)XH;`9Qp>aPHwtcwpE<sYtMhcUuJQT2qO(J%%kLCI
zAsEqZ0X8jaC0uMoRpN4XH0k|5y)nCBC{N0FDjkZL@7Eg5%rRV3pUadPJ5WRUI`ngx
zK2pQjUSz7i-bMMAi1|hs9h14c#1xRJbWqN_I-6gLSt_KM%5;t?rkqPLnoOSLune0G
z_59S4JCkP?x;hVa9>Jw3*Wem>aF)s239aA&7qnn+g*NEIvTsKWWsv(521;?K6FQ&?
z^xy{{jwaw>3G_h}0uY2v*rO1GAqYbp4B|Y9pG2|jYIE2cp2Jf9T>kSQAI|CW>im^6
z>Gw$7h@VROYNC2gzN(q|9p4i5x%JBaTy-v2y^ihm-1M)-dWGugr}cWC-N0t}(YsBb
z`TXC#PkFLIA;qqjc(P6|#jeWmq{z#$eS~^Dvz<AOn)r63uD~{cx)j@P)GBNSjA(x9
z@SP0bor%*|iyquPWdC9~&{3Hh$xYP(A?Sw)dW%2;lE^K9V+{3N)^vAr%dqFYTT2G=
zZhw67r*Hc?Z-S9(IYVUS_{gXH=&irW`u|^F3aoj8pAQ1IEWt(RRPSpehT@Z>SC)0}
zIrYhYVQJp`D~lT@0#^ri-CXx%hY~r>l>)p)x!LsK{d^XkjF<5@KK#sg@cM-ZWB2df
z`0eB`CrUXLz5egMT=v0V2KJ$}kM05eFh`{|-3R68gSQx146fJ~{FfI`@SEeYp-3nk
l;`_Goq4Xaz7Sp7?>#Md-%cMEkaX4?Iw}2wYdA86Q{{qVT@i+hg

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
new file mode 100644
index 0000000000..03560c31e1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek
@@ -0,0 +1,7 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_netlogon.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+# @TEST-EXEC: btest-diff dce_rpc.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm
+@load base/frameworks/notice/weird
diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek
new file mode 100644
index 0000000000..6188eb10bb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek
@@ -0,0 +1,5 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_ntlm.pcap %INPUT
+# @TEST-EXEC: btest-diff ntlm.log
+
+@load base/protocols/dce-rpc
+@load base/protocols/ntlm