Merge branch 'attack_execution_api' into attack_file_copy
# Conflicts: # monkey/monkey_island/cc/services/attack/attack_report.py # monkey/monkey_island/cc/services/attack/technique_reports/__init__.py # monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
This commit is contained in:
commit
3d0c564994
|
@ -14,6 +14,8 @@ from infection_monkey.config import WormConfiguration
|
|||
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
|
||||
from infection_monkey.model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX
|
||||
from infection_monkey.system_info import SystemInfoCollector, OperatingSystem
|
||||
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
|
||||
if "win32" == sys.platform:
|
||||
from win32process import DETACHED_PROCESS
|
||||
|
@ -156,5 +158,7 @@ class MonkeyDrops(object):
|
|||
else:
|
||||
LOG.debug("Dropper source file '%s' is marked for deletion on next boot",
|
||||
self._config['source_path'])
|
||||
T1106Telem(ScanStatus.USED, "WinAPI was used to mark monkey files"
|
||||
" for deletion on next boot.").send()
|
||||
except AttributeError:
|
||||
LOG.error("Invalid configuration options. Failing")
|
||||
|
|
|
@ -10,6 +10,8 @@ from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDL
|
|||
from infection_monkey.network import SMBFinger
|
||||
from infection_monkey.network.tools import check_tcp_port
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
|
||||
LOG = getLogger(__name__)
|
||||
|
||||
|
@ -129,10 +131,12 @@ class SmbExploiter(HostExploiter):
|
|||
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
|
||||
lpBinaryPathName=cmdline)
|
||||
service = resp['lpServiceHandle']
|
||||
|
||||
try:
|
||||
scmr.hRStartServiceW(scmr_rpc, service)
|
||||
T1035Telem(ScanStatus.USED, "SMB exploiter ran the monkey by creating a service via MS-SCMR.").send()
|
||||
except:
|
||||
T1035Telem(ScanStatus.SCANNED,
|
||||
"SMB exploiter failed to run the monkey by creating a service via MS-SCMR.").send()
|
||||
pass
|
||||
scmr.hRDeleteService(scmr_rpc, service)
|
||||
scmr.hRCloseServiceHandle(scmr_rpc, service)
|
||||
|
|
|
@ -38,7 +38,7 @@ class WebLogicExploiter(HostExploiter):
|
|||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
_EXPLOITED_SERVICE = 'Weblogic'
|
||||
|
||||
def exploit_host(self):
|
||||
def _exploit_host(self):
|
||||
exploiters = [WebLogic20192725, WebLogic201710271]
|
||||
for exploiter in exploiters:
|
||||
if exploiter(self.host).exploit_host():
|
||||
|
|
|
@ -16,6 +16,7 @@ from infection_monkey.network.network_scanner import NetworkScanner
|
|||
from infection_monkey.system_info import SystemInfoCollector
|
||||
from infection_monkey.system_singleton import SystemSingleton
|
||||
from infection_monkey.telemetry.attack.victim_host_telem import VictimHostTelem
|
||||
from infection_monkey.telemetry.attack.t1107_telem import T1107Telem
|
||||
from infection_monkey.telemetry.scan_telem import ScanTelem
|
||||
from infection_monkey.telemetry.state_telem import StateTelem
|
||||
from infection_monkey.telemetry.system_info_telem import SystemInfoTelem
|
||||
|
@ -178,8 +179,11 @@ class InfectionMonkey(object):
|
|||
if monkey_tunnel:
|
||||
monkey_tunnel.set_tunnel_for_host(machine)
|
||||
if self._default_server:
|
||||
machine.set_default_server(get_interface_to_target(machine.ip_addr) +
|
||||
(':'+self._default_server_port if self._default_server_port else ''))
|
||||
if self._network.on_island(self._default_server):
|
||||
machine.set_default_server(get_interface_to_target(machine.ip_addr) +
|
||||
(':'+self._default_server_port if self._default_server_port else ''))
|
||||
else:
|
||||
machine.set_default_server(self._default_server)
|
||||
LOG.debug("Default server: %s set to machine: %r" % (self._default_server, machine))
|
||||
|
||||
# Order exploits according to their type
|
||||
|
@ -233,7 +237,6 @@ class InfectionMonkey(object):
|
|||
self.send_log()
|
||||
self._singleton.unlock()
|
||||
|
||||
utils.remove_monkey_dir()
|
||||
InfectionMonkey.self_delete()
|
||||
LOG.info("Monkey is shutting down")
|
||||
|
||||
|
@ -246,6 +249,9 @@ class InfectionMonkey(object):
|
|||
|
||||
@staticmethod
|
||||
def self_delete():
|
||||
status = ScanStatus.USED if utils.remove_monkey_dir() else ScanStatus.SCANNED
|
||||
T1107Telem(status, utils.get_monkey_dir_path()).send()
|
||||
|
||||
if WormConfiguration.self_delete_in_cleanup \
|
||||
and -1 == sys.executable.find('python'):
|
||||
try:
|
||||
|
@ -259,8 +265,10 @@ class InfectionMonkey(object):
|
|||
close_fds=True, startupinfo=startupinfo)
|
||||
else:
|
||||
os.remove(sys.executable)
|
||||
T1107Telem(ScanStatus.USED, sys.executable).send()
|
||||
except Exception as exc:
|
||||
LOG.error("Exception in self delete: %s", exc)
|
||||
T1107Telem(ScanStatus.SCANNED, sys.executable).send()
|
||||
|
||||
def send_log(self):
|
||||
monkey_log_path = utils.get_monkey_log_path()
|
||||
|
|
|
@ -118,3 +118,6 @@ class NetworkScanner(object):
|
|||
if NetworkRange.get_range_obj(subnet_str).is_in_range(ip_address):
|
||||
return True
|
||||
return False
|
||||
|
||||
def on_island(self, server):
|
||||
return bool([x for x in self._ip_addresses if x in server])
|
||||
|
|
|
@ -5,7 +5,9 @@ import socket
|
|||
import zipfile
|
||||
|
||||
import infection_monkey.config
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.telemetry.attack.t1129_telem import T1129Telem
|
||||
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
|
||||
from infection_monkey.pyinstaller_utils import get_binary_file_path, get_binaries_dir_path
|
||||
|
||||
__author__ = 'itay.mizeretz'
|
||||
|
@ -45,12 +47,16 @@ class MimikatzCollector(object):
|
|||
collect_proto = ctypes.WINFUNCTYPE(ctypes.c_int)
|
||||
get_proto = ctypes.WINFUNCTYPE(MimikatzCollector.LogonData)
|
||||
get_text_output_proto = ctypes.WINFUNCTYPE(ctypes.c_wchar_p)
|
||||
T1106Telem(ScanStatus.USED, "WinAPI was called to load mimikatz.").send()
|
||||
self._collect = collect_proto(("collect", self._dll))
|
||||
self._get = get_proto(("get", self._dll))
|
||||
self._get_text_output_proto = get_text_output_proto(("getTextOutput", self._dll))
|
||||
self._isInit = True
|
||||
T1129Telem(ScanStatus.USED, "Windows module loader was used to load Mimikatz DLL.").send()
|
||||
except Exception:
|
||||
LOG.exception("Error initializing mimikatz collector")
|
||||
T1129Telem(ScanStatus.SCANNED, "Monkey tried to load Mimikatz DLL, but failed.").send()
|
||||
T1106Telem(ScanStatus.SCANNED, "Monkey tried to call WinAPI to load mimikatz.").send()
|
||||
|
||||
def get_logon_info(self):
|
||||
"""
|
||||
|
@ -67,7 +73,7 @@ class MimikatzCollector(object):
|
|||
|
||||
logon_data_dictionary = {}
|
||||
hostname = socket.gethostname()
|
||||
|
||||
|
||||
self.mimikatz_text = self._get_text_output_proto()
|
||||
|
||||
for i in range(entry_count):
|
||||
|
@ -102,7 +108,7 @@ class MimikatzCollector(object):
|
|||
except Exception:
|
||||
LOG.exception("Error getting logon info")
|
||||
return {}
|
||||
|
||||
|
||||
def get_mimikatz_text(self):
|
||||
return self.mimikatz_text
|
||||
|
||||
|
|
|
@ -4,6 +4,8 @@ import sys
|
|||
from abc import ABCMeta, abstractmethod
|
||||
|
||||
from infection_monkey.config import WormConfiguration
|
||||
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
|
||||
__author__ = 'itamar'
|
||||
|
||||
|
@ -46,6 +48,8 @@ class WindowsSystemSingleton(_SystemSingleton):
|
|||
if not handle:
|
||||
LOG.error("Cannot acquire system singleton %r, unknown error %d",
|
||||
self._mutex_name, last_error)
|
||||
T1106Telem(ScanStatus.SCANNED, "WinAPI call to acquire system singleton "
|
||||
"for monkey process wasn't successful.").send()
|
||||
|
||||
return False
|
||||
|
||||
|
@ -56,7 +60,7 @@ class WindowsSystemSingleton(_SystemSingleton):
|
|||
return False
|
||||
|
||||
self._mutex_handle = handle
|
||||
|
||||
T1106Telem(ScanStatus.USED, "WinAPI was called to acquire system singleton for monkey's process.").send()
|
||||
LOG.debug("Global singleton mutex %r acquired",
|
||||
self._mutex_name)
|
||||
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
from infection_monkey.telemetry.attack.usage_telem import UsageTelem
|
||||
|
||||
|
||||
class T1035Telem(UsageTelem):
|
||||
def __init__(self, status, usage):
|
||||
"""
|
||||
T1035 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param usage: Usage string
|
||||
"""
|
||||
super(T1035Telem, self).__init__('T1035', status, usage)
|
|
@ -0,0 +1,11 @@
|
|||
from infection_monkey.telemetry.attack.usage_telem import UsageTelem
|
||||
|
||||
|
||||
class T1106Telem(UsageTelem):
|
||||
def __init__(self, status, usage):
|
||||
"""
|
||||
T1129 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param usage: Usage string
|
||||
"""
|
||||
super(T1106Telem, self).__init__("T1106", status, usage)
|
|
@ -0,0 +1,19 @@
|
|||
from infection_monkey.telemetry.attack.attack_telem import AttackTelem
|
||||
|
||||
|
||||
class T1107Telem(AttackTelem):
|
||||
def __init__(self, status, path):
|
||||
"""
|
||||
T1107 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param path: Path of deleted dir/file
|
||||
"""
|
||||
super(T1107Telem, self).__init__('T1107', status)
|
||||
self.path = path
|
||||
|
||||
def get_data(self):
|
||||
data = super(T1107Telem, self).get_data()
|
||||
data.update({
|
||||
'path': self.path
|
||||
})
|
||||
return data
|
|
@ -0,0 +1,11 @@
|
|||
from infection_monkey.telemetry.attack.usage_telem import UsageTelem
|
||||
|
||||
|
||||
class T1129Telem(UsageTelem):
|
||||
def __init__(self, status, usage):
|
||||
"""
|
||||
T1129 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param usage: Usage string
|
||||
"""
|
||||
super(T1129Telem, self).__init__("T1129", status, usage)
|
|
@ -0,0 +1,20 @@
|
|||
from infection_monkey.telemetry.attack.attack_telem import AttackTelem
|
||||
|
||||
|
||||
class UsageTelem(AttackTelem):
|
||||
|
||||
def __init__(self, technique, status, usage):
|
||||
"""
|
||||
T1035 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param usage: Usage string
|
||||
"""
|
||||
super(UsageTelem, self).__init__(technique, status)
|
||||
self.usage = usage
|
||||
|
||||
def get_data(self):
|
||||
data = super(UsageTelem, self).get_data()
|
||||
data.update({
|
||||
'usage': self.usage
|
||||
})
|
||||
return data
|
|
@ -49,8 +49,13 @@ def create_monkey_dir():
|
|||
def remove_monkey_dir():
|
||||
"""
|
||||
Removes monkey's root directory
|
||||
:return True if removed without errors and False otherwise
|
||||
"""
|
||||
shutil.rmtree(get_monkey_dir_path(), ignore_errors=True)
|
||||
try:
|
||||
shutil.rmtree(get_monkey_dir_path())
|
||||
return True
|
||||
except Exception:
|
||||
return False
|
||||
|
||||
|
||||
def get_monkey_dir_path():
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import logging
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
@ -20,7 +20,11 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1082': T1082.T1082,
|
||||
'T1145': T1145.T1145,
|
||||
'T1065': T1065.T1065,
|
||||
'T1105': T1105.T1105}
|
||||
'T1105': T1105.T1105,
|
||||
'T1035': T1035.T1035,
|
||||
'T1129': T1129.T1129,
|
||||
'T1106': T1106.T1106,
|
||||
'T1107': T1107.T1107}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
|
|
@ -99,6 +99,15 @@ SCHEMA = {
|
|||
"necessary": True,
|
||||
"description": "Adversaries may abuse BITS to download, execute, "
|
||||
"and even clean up after running malicious code."
|
||||
},
|
||||
"T1107": {
|
||||
"title": "T1107 File Deletion",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": True,
|
||||
"description": "Adversaries may remove files over the course of an intrusion "
|
||||
"to keep their footprint low or remove them at the end as part "
|
||||
"of the post-intrusion cleanup process."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -106,6 +115,33 @@ SCHEMA = {
|
|||
"title": "Execution",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"T1035": {
|
||||
"title": "T1035 Service execution",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"description": "Adversaries may execute a binary, command, or script via a method "
|
||||
"that interacts with Windows services, such as the Service Control Manager.",
|
||||
"depends_on": ["T1210"]
|
||||
},
|
||||
"T1129": {
|
||||
"title": "T1129 Execution through module load",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"description": "The Windows module loader can be instructed to load DLLs from arbitrary "
|
||||
"local paths and arbitrary Universal Naming Convention (UNC) network paths.",
|
||||
"depends_on": ["T1078", "T1003"]
|
||||
},
|
||||
"T1106": {
|
||||
"title": "T1106 Execution through API",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"description": "Adversary tools may directly use the Windows application "
|
||||
"programming interface (API) to execute binaries.",
|
||||
"depends_on": ["T1210"]
|
||||
},
|
||||
"T1059": {
|
||||
"title": "T1059 Command line interface",
|
||||
"type": "bool",
|
||||
|
|
|
@ -20,8 +20,8 @@ class T1003(AttackTechnique):
|
|||
def get_report_data():
|
||||
data = {'title': T1003.technique_title()}
|
||||
if mongo.db.telemetry.count_documents(T1003.query):
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1003.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1035(AttackTechnique):
|
||||
tech_id = "T1035"
|
||||
unscanned_msg = "Monkey didn't try to interact with Windows services."
|
||||
scanned_msg = "Monkey tried to interact with Windows services, but failed."
|
||||
used_msg = "Monkey successfully interacted with Windows services."
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1035.get_tech_base_data()
|
||||
data.update({'services': list(mongo.db.telemetry.aggregate(T1035.get_usage_query()))})
|
||||
return data
|
|
@ -27,8 +27,8 @@ class T1059(AttackTechnique):
|
|||
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
||||
data = {'title': T1059.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1059.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -17,4 +17,4 @@ class T1065(AttackTechnique):
|
|||
def get_report_data():
|
||||
port = ConfigService.get_config_value(['cnc', 'servers', 'current_server']).split(':')[1]
|
||||
T1065.used_msg = T1065.message % port
|
||||
return T1065.get_base_data_by_status(ScanStatus.USED)
|
||||
return T1065.get_base_data_by_status(ScanStatus.USED.value)
|
||||
|
|
|
@ -35,10 +35,10 @@ class T1075(AttackTechnique):
|
|||
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
|
||||
data.update({'successful_logins': successful_logins})
|
||||
if successful_logins:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
elif mongo.db.telemetry.count_documents(T1075.login_attempt_query):
|
||||
status = ScanStatus.SCANNED
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1075.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -40,8 +40,8 @@ class T1082(AttackTechnique):
|
|||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||
data.update({'system_info': system_info})
|
||||
if system_info:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1082.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -29,8 +29,8 @@ class T1086(AttackTechnique):
|
|||
cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
|
||||
data = {'title': T1086.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1086.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1106(AttackTechnique):
|
||||
tech_id = "T1106"
|
||||
unscanned_msg = "Monkey didn't try to directly use WinAPI."
|
||||
scanned_msg = "Monkey tried to use WinAPI, but failed."
|
||||
used_msg = "Monkey successfully used WinAPI."
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1106.get_tech_base_data()
|
||||
data.update({'api_uses': list(mongo.db.telemetry.aggregate(T1106.get_usage_query()))})
|
||||
return data
|
|
@ -0,0 +1,32 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1107(AttackTechnique):
|
||||
tech_id = "T1107"
|
||||
unscanned_msg = ""
|
||||
scanned_msg = "Monkey tried to delete files on systems in the network, but failed."
|
||||
used_msg = "Monkey successfully deleted files on systems in the network."
|
||||
|
||||
query = [{'$match': {'telem_category': 'attack',
|
||||
'data.technique': 'T1107'}},
|
||||
{'$lookup': {'from': 'monkey',
|
||||
'localField': 'monkey_guid',
|
||||
'foreignField': 'guid',
|
||||
'as': 'monkey'}},
|
||||
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
|
||||
'status': '$data.status',
|
||||
'path': '$data.path'}},
|
||||
{'$addFields': {'_id': 0,
|
||||
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
|
||||
'monkey': 0}},
|
||||
{'$group': {'_id': {'machine': '$machine', 'status': '$status', 'path': '$path'}}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1107.get_tech_base_data()
|
||||
deleted_files = list(mongo.db.telemetry.aggregate(T1107.query))
|
||||
data.update({'deleted_files': deleted_files})
|
||||
return data
|
|
@ -35,11 +35,11 @@ class T1110(AttackTechnique):
|
|||
result['successful_creds'].append(T1110.parse_creds(attempt))
|
||||
|
||||
if succeeded:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
elif attempts:
|
||||
status = ScanStatus.SCANNED
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data = T1110.get_base_data_by_status(status)
|
||||
# Remove data with no successful brute force attempts
|
||||
attempts = [attempt for attempt in attempts if attempt['attempts']]
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1129(AttackTechnique):
|
||||
tech_id = "T1129"
|
||||
unscanned_msg = "Monkey didn't try to load any DLL's."
|
||||
scanned_msg = "Monkey tried to load DLL's, but failed."
|
||||
used_msg = "Monkey successfully loaded DLL's using Windows module loader."
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1129.get_tech_base_data()
|
||||
data.update({'dlls': list(mongo.db.telemetry.aggregate(T1129.get_usage_query()))})
|
||||
return data
|
|
@ -23,9 +23,9 @@ class T1145(AttackTechnique):
|
|||
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
||||
|
||||
if ssh_info:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data = T1145.get_base_data_by_status(status)
|
||||
data.update({'ssh_info': ssh_info})
|
||||
return data
|
||||
|
|
|
@ -18,11 +18,11 @@ class T1210(AttackTechnique):
|
|||
scanned_services = T1210.get_scanned_services()
|
||||
exploited_services = T1210.get_exploited_services()
|
||||
if exploited_services:
|
||||
status = ScanStatus.USED
|
||||
status = ScanStatus.USED.value
|
||||
elif scanned_services:
|
||||
status = ScanStatus.SCANNED
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
data.update(T1210.get_message_and_status(status))
|
||||
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})
|
||||
return data
|
||||
|
|
|
@ -50,38 +50,38 @@ class AttackTechnique(object):
|
|||
def technique_status(cls):
|
||||
"""
|
||||
Gets the status of a certain attack technique.
|
||||
:return: ScanStatus Enum object
|
||||
:return: ScanStatus numeric value
|
||||
"""
|
||||
if mongo.db.telemetry.find_one({'telem_category': 'attack',
|
||||
'data.status': ScanStatus.USED.value,
|
||||
'data.technique': cls.tech_id}):
|
||||
return ScanStatus.USED
|
||||
return ScanStatus.USED.value
|
||||
elif mongo.db.telemetry.find_one({'telem_category': 'attack',
|
||||
'data.status': ScanStatus.SCANNED.value,
|
||||
'data.technique': cls.tech_id}):
|
||||
return ScanStatus.SCANNED
|
||||
return ScanStatus.SCANNED.value
|
||||
else:
|
||||
return ScanStatus.UNSCANNED
|
||||
return ScanStatus.UNSCANNED.value
|
||||
|
||||
@classmethod
|
||||
def get_message_and_status(cls, status):
|
||||
"""
|
||||
Returns a dict with attack technique's message and status.
|
||||
:param status: Enum type value from common/attack_utils.py
|
||||
:param status: Enum from common/attack_utils.py integer value
|
||||
:return: Dict with message and status
|
||||
"""
|
||||
return {'message': cls.get_message_by_status(status), 'status': status.name}
|
||||
return {'message': cls.get_message_by_status(status), 'status': status}
|
||||
|
||||
@classmethod
|
||||
def get_message_by_status(cls, status):
|
||||
"""
|
||||
Picks a message to return based on status.
|
||||
:param status: Enum type value from common/attack_utils.py
|
||||
:param status: Enum from common/attack_utils.py integer value
|
||||
:return: message string
|
||||
"""
|
||||
if status == ScanStatus.UNSCANNED:
|
||||
if status == ScanStatus.UNSCANNED.value:
|
||||
return cls.unscanned_msg
|
||||
elif status == ScanStatus.SCANNED:
|
||||
elif status == ScanStatus.SCANNED.value:
|
||||
return cls.scanned_msg
|
||||
else:
|
||||
return cls.used_msg
|
||||
|
@ -97,12 +97,12 @@ class AttackTechnique(object):
|
|||
def get_tech_base_data(cls):
|
||||
"""
|
||||
Gathers basic attack technique data into a dict.
|
||||
:return: dict E.g. {'message': 'Brute force used', 'status': 'Used', 'title': 'T1110 Brute force'}
|
||||
:return: dict E.g. {'message': 'Brute force used', 'status': 2, 'title': 'T1110 Brute force'}
|
||||
"""
|
||||
data = {}
|
||||
status = cls.technique_status()
|
||||
title = cls.technique_title()
|
||||
data.update({'status': status.name,
|
||||
data.update({'status': status,
|
||||
'title': title,
|
||||
'message': cls.get_message_by_status(status)})
|
||||
return data
|
||||
|
@ -112,3 +112,23 @@ class AttackTechnique(object):
|
|||
data = cls.get_message_and_status(status)
|
||||
data.update({'title': cls.technique_title()})
|
||||
return data
|
||||
|
||||
@classmethod
|
||||
def get_usage_query(cls):
|
||||
"""
|
||||
:return: Query that parses attack telems for simple report component
|
||||
(gets machines and attack technique usage).
|
||||
"""
|
||||
return [{'$match': {'telem_category': 'attack',
|
||||
'data.technique': cls.tech_id}},
|
||||
{'$lookup': {'from': 'monkey',
|
||||
'localField': 'monkey_guid',
|
||||
'foreignField': 'guid',
|
||||
'as': 'monkey'}},
|
||||
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
|
||||
'status': '$data.status',
|
||||
'usage': '$data.usage'}},
|
||||
{'$addFields': {'_id': 0,
|
||||
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
|
||||
'monkey': 0}},
|
||||
{'$group': {'_id': {'machine': '$machine', 'status': '$status', 'usage': '$usage'}}}]
|
||||
|
|
|
@ -14,7 +14,7 @@ SCHEMA = {
|
|||
"SmbExploiter"
|
||||
],
|
||||
"title": "SMB Exploiter",
|
||||
"attack_techniques": ["T1110", "T1075"]
|
||||
"attack_techniques": ["T1110", "T1075", "T1035"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
@ -22,7 +22,7 @@ SCHEMA = {
|
|||
"WmiExploiter"
|
||||
],
|
||||
"title": "WMI Exploiter",
|
||||
"attack_techniques": ["T1110"]
|
||||
"attack_techniques": ["T1110", "T1106"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
@ -54,7 +54,7 @@ SCHEMA = {
|
|||
"SSHExploiter"
|
||||
],
|
||||
"title": "SSH Exploiter",
|
||||
"attack_techniques": ["T1110", "T1145"]
|
||||
"attack_techniques": ["T1110", "T1145", "T1106"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
|
|
@ -19,3 +19,25 @@ export function renderMachineFromSystemData(data) {
|
|||
});
|
||||
return machineStr + ")"
|
||||
}
|
||||
|
||||
/* Formats telemetry data that contains _id.machine and _id.usage fields into columns
|
||||
for react table. */
|
||||
export function getUsageColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x._id.machine),
|
||||
style: { 'whiteSpace': 'unset' },
|
||||
width: 300},
|
||||
{Header: 'Usage',
|
||||
id: 'usage',
|
||||
accessor: x => x._id.usage,
|
||||
style: { 'whiteSpace': 'unset' }}]
|
||||
}])}
|
||||
|
||||
export const scanStatus = {
|
||||
UNSCANNED: 0,
|
||||
SCANNED: 1,
|
||||
USED: 2
|
||||
};
|
||||
|
|
|
@ -2,6 +2,7 @@ import React from 'react';
|
|||
import '../../../styles/Collapse.scss'
|
||||
import '../../report-components/StolenPasswords'
|
||||
import StolenPasswordsComponent from "../../report-components/StolenPasswords";
|
||||
import {scanStatus} from "./Helpers"
|
||||
|
||||
|
||||
class T1003 extends React.Component {
|
||||
|
@ -15,7 +16,7 @@ class T1003 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<StolenPasswordsComponent data={this.props.reportData.glance.stolen_creds.concat(this.props.reportData.glance.ssh_keys)}/>
|
||||
: ""}
|
||||
</div>
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { getUsageColumns } from "./Helpers"
|
||||
|
||||
|
||||
class T1035 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.services.length !== 0 ?
|
||||
<ReactTable
|
||||
columns={getUsageColumns()}
|
||||
data={this.props.data.services}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.services.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1035;
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1059 extends React.Component {
|
||||
|
@ -25,7 +25,7 @@ class T1059 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1059.getCommandColumns()}
|
||||
data={this.props.data.cmds}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1075 extends React.Component {
|
||||
|
@ -34,7 +34,7 @@ class T1075 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status !== scanStatus.UNSCANNED ?
|
||||
<ReactTable
|
||||
columns={T1075.getHashColumns()}
|
||||
data={this.props.data.successful_logins}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData } from "./Helpers"
|
||||
import { renderMachineFromSystemData, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1082 extends React.Component {
|
||||
|
@ -33,7 +33,7 @@ class T1082 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1082.getSystemInfoColumns()}
|
||||
data={this.props.data.system_info}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1086 extends React.Component {
|
||||
|
@ -25,7 +25,7 @@ class T1086 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1086.getPowershellColumns()}
|
||||
data={this.props.data.cmds}
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { getUsageColumns } from "./Helpers"
|
||||
|
||||
|
||||
class T1106 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.api_uses.length !== 0 ?
|
||||
<ReactTable
|
||||
columns={getUsageColumns()}
|
||||
data={this.props.data.api_uses}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.api_uses.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1106;
|
|
@ -0,0 +1,47 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1107 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static renderDelete(status){
|
||||
if(status === scanStatus.USED){
|
||||
return <span>Yes</span>
|
||||
} else {
|
||||
return <span>No</span>
|
||||
}
|
||||
}
|
||||
|
||||
static getDeletedFileColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x._id.machine), style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Path', id: 'path', accessor: x => x._id.path, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Deleted?', id: 'deleted', accessor: x => this.renderDelete(x._id.status),
|
||||
style: { 'whiteSpace': 'unset' }, width: 160}]
|
||||
}])};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.deleted_files.length !== 0 ?
|
||||
<ReactTable
|
||||
columns={T1107.getDeletedFileColumns()}
|
||||
data={this.props.data.deleted_files}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.deleted_files.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1107;
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine } from "./Helpers"
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1110 extends React.Component {
|
||||
|
@ -32,7 +32,7 @@ class T1110 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{(this.props.data.status === 'SCANNED' || this.props.data.status === 'USED') ?
|
||||
{this.props.data.status !== scanStatus.UNSCANNED ?
|
||||
<ReactTable
|
||||
columns={T1110.getServiceColumns()}
|
||||
data={this.props.data.services}
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import {getUsageColumns} from "./Helpers";
|
||||
|
||||
class T1129 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.dlls.length !== 0 ?
|
||||
<ReactTable
|
||||
columns={getUsageColumns()}
|
||||
data={this.props.data.dlls}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.dlls.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1129;
|
|
@ -1,7 +1,7 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachineFromSystemData } from "./Helpers"
|
||||
import { renderMachineFromSystemData, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1145 extends React.Component {
|
||||
|
@ -38,7 +38,7 @@ class T1145 extends React.Component {
|
|||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === 'USED' ?
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1145.getKeysInfoColumns()}
|
||||
data={this.props.data.ssh_info}
|
||||
|
|
|
@ -4,6 +4,7 @@ import {ReactiveGraph} from 'components/reactive-graph/ReactiveGraph';
|
|||
import {edgeGroupToColor, options} from 'components/map/MapOptions';
|
||||
import '../../styles/Collapse.scss';
|
||||
import AuthComponent from '../AuthComponent';
|
||||
import {scanStatus} from "../attack/techniques/Helpers";
|
||||
import Collapse from '@kunukn/react-collapse';
|
||||
import T1210 from '../attack/techniques/T1210';
|
||||
import T1197 from '../attack/techniques/T1197';
|
||||
|
@ -15,7 +16,11 @@ import T1086 from "../attack/techniques/T1086";
|
|||
import T1082 from "../attack/techniques/T1082";
|
||||
import T1145 from "../attack/techniques/T1145";
|
||||
import T1105 from "../attack/techniques/T1105";
|
||||
import T1107 from "../attack/techniques/T1107";
|
||||
import T1065 from "../attack/techniques/T1065";
|
||||
import T1035 from "../attack/techniques/T1035";
|
||||
import T1129 from "../attack/techniques/T1129";
|
||||
import T1106 from "../attack/techniques/T1106";
|
||||
|
||||
const tech_components = {
|
||||
'T1210': T1210,
|
||||
|
@ -28,7 +33,11 @@ const tech_components = {
|
|||
'T1082': T1082,
|
||||
'T1145': T1145,
|
||||
'T1065': T1065,
|
||||
'T1105': T1105
|
||||
'T1105': T1105,
|
||||
'T1035': T1035,
|
||||
'T1129': T1129,
|
||||
'T1106': T1106,
|
||||
'T1107': T1107
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
@ -79,9 +88,9 @@ class AttackReportPageComponent extends AuthComponent {
|
|||
|
||||
getComponentClass(tech_id){
|
||||
switch (this.state.report[tech_id].status) {
|
||||
case 'SCANNED':
|
||||
case scanStatus.SCANNED:
|
||||
return 'collapse-info';
|
||||
case 'USED':
|
||||
case scanStatus.USED:
|
||||
return 'collapse-danger';
|
||||
default:
|
||||
return 'collapse-default';
|
||||
|
|
Loading…
Reference in New Issue