Island: Refactor T1145 report according to the attack telemetry
This commit is contained in:
Ilija Lazoroski
parent
6b64b655ce
commit
3d64d0d2e4
|
|
@ -1,7 +1,11 @@
|
||||||
|
import logging
|
||||||
|
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
class T1145(AttackTechnique):
|
class T1145(AttackTechnique):
|
||||||
tech_id = "T1145"
|
tech_id = "T1145"
|
||||||
|
|
@ -12,19 +16,39 @@ class T1145(AttackTechnique):
|
||||||
|
|
||||||
# Gets data about ssh keys found
|
# Gets data about ssh keys found
|
||||||
query = [
|
query = [
|
||||||
|
{"$match": {"telem_category": "attack", "data.technique": tech_id}},
|
||||||
{
|
{
|
||||||
"$match": {
|
"$lookup": {
|
||||||
"telem_category": "system_info",
|
"from": "monkey",
|
||||||
"data.ssh_info": {"$elemMatch": {"private_key": {"$exists": True}}},
|
"localField": "monkey_guid",
|
||||||
|
"foreignField": "guid",
|
||||||
|
"as": "monkey",
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"$project": {
|
"$project": {
|
||||||
"_id": 0,
|
"monkey": {"$arrayElemAt": ["$monkey", 0]},
|
||||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
"status": "$data.status",
|
||||||
"ssh_info": "$data.ssh_info",
|
"name": "$data.name",
|
||||||
|
"home_dir": "$data.home_dir",
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"$addFields": {
|
||||||
|
"_id": 0,
|
||||||
|
"machine": {"hostname": "$monkey.hostname", "ips": "$monkey.ip_addresses"},
|
||||||
|
"monkey": 0,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"$group": {
|
||||||
|
"_id": {
|
||||||
|
"machine": "$machine",
|
||||||
|
"ssh_info": {"name": "$name", "home_dir": "$home_dir"},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{"$replaceRoot": {"newRoot": "$_id"}},
|
||||||
]
|
]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
||||||
|
|
@ -10,13 +10,13 @@ class T1145 extends React.Component {
|
||||||
super(props);
|
super(props);
|
||||||
}
|
}
|
||||||
|
|
||||||
static renderSSHKeys(keys) {
|
static renderSSHKey(key) {
|
||||||
let output = [];
|
return (
|
||||||
keys.forEach(function (keyInfo) {
|
<div>
|
||||||
output.push(<div key={keyInfo['name'] + keyInfo['home_dir']}>
|
<div key={key['name'] + key['home_dir']}>
|
||||||
SSH key pair used by <b>{keyInfo['name']}</b> user found in {keyInfo['home_dir']}</div>)
|
SSH key pair used by <b>{key['name']}</b> user found in {key['home_dir']}
|
||||||
});
|
</div>
|
||||||
return (<div>{output}</div>);
|
</div>);
|
||||||
}
|
}
|
||||||
|
|
||||||
static getKeysInfoColumns() {
|
static getKeysInfoColumns() {
|
||||||
|
|
@ -31,7 +31,7 @@ class T1145 extends React.Component {
|
||||||
{
|
{
|
||||||
Header: 'Keys found',
|
Header: 'Keys found',
|
||||||
id: 'keys',
|
id: 'keys',
|
||||||
accessor: x => T1145.renderSSHKeys(x.ssh_info),
|
accessor: x => T1145.renderSSHKey(x.ssh_info),
|
||||||
style: {'whiteSpace': 'unset'}
|
style: {'whiteSpace': 'unset'}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue