Island: Remove attack config and enable all techniques by default
This commit is contained in:
parent
f07b7fafa2
commit
4e98baf6e3
|
@ -1,67 +0,0 @@
|
||||||
import logging
|
|
||||||
|
|
||||||
from monkey_island.cc.database import mongo
|
|
||||||
from monkey_island.cc.services.attack.attack_schema import SCHEMA
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
class AttackConfig(object):
|
|
||||||
def __init__(self):
|
|
||||||
pass
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_config():
|
|
||||||
config = mongo.db.attack.find_one({"name": "newconfig"})["properties"]
|
|
||||||
return config
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_technique(technique_id):
|
|
||||||
"""
|
|
||||||
Gets technique by id
|
|
||||||
:param technique_id: E.g. T1210
|
|
||||||
:return: Technique object or None if technique is not found
|
|
||||||
"""
|
|
||||||
attack_config = AttackConfig.get_config()
|
|
||||||
for config_key, attack_type in list(attack_config.items()):
|
|
||||||
for type_key, technique in list(attack_type["properties"].items()):
|
|
||||||
if type_key == technique_id:
|
|
||||||
return technique
|
|
||||||
return None
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def reset_config():
|
|
||||||
AttackConfig.update_config(SCHEMA)
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def update_config(config_json):
|
|
||||||
mongo.db.attack.update({"name": "newconfig"}, {"$set": config_json}, upsert=True)
|
|
||||||
return True
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_technique_values():
|
|
||||||
"""
|
|
||||||
Parses ATT&CK config into a dict of techniques and corresponding values.
|
|
||||||
:return: Dictionary of techniques. Format: {"T1110": True, "T1075": False, ...}
|
|
||||||
"""
|
|
||||||
attack_config = AttackConfig.get_config()
|
|
||||||
techniques = {}
|
|
||||||
for type_name, attack_type in list(attack_config.items()):
|
|
||||||
for key, technique in list(attack_type["properties"].items()):
|
|
||||||
techniques[key] = technique["value"]
|
|
||||||
return techniques
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_techniques_for_report():
|
|
||||||
"""
|
|
||||||
:return: Format: {"T1110": {"selected": True, "type": "Credential Access", "T1075": ...}
|
|
||||||
"""
|
|
||||||
attack_config = AttackConfig.get_config()
|
|
||||||
techniques = {}
|
|
||||||
for type_name, attack_type in list(attack_config.items()):
|
|
||||||
for key, technique in list(attack_type["properties"].items()):
|
|
||||||
techniques[key] = {
|
|
||||||
"selected": technique["value"],
|
|
||||||
"type": SCHEMA["properties"][type_name]["title"],
|
|
||||||
}
|
|
||||||
return techniques
|
|
|
@ -2,7 +2,7 @@ import logging
|
||||||
|
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.models import Monkey
|
from monkey_island.cc.models import Monkey
|
||||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
from monkey_island.cc.services.attack.attack_schema import SCHEMA
|
||||||
from monkey_island.cc.services.attack.technique_reports import (
|
from monkey_island.cc.services.attack.technique_reports import (
|
||||||
T1003,
|
T1003,
|
||||||
T1005,
|
T1005,
|
||||||
|
@ -102,7 +102,7 @@ class AttackReportService:
|
||||||
"meta": {"latest_monkey_modifytime": Monkey.get_latest_modifytime()},
|
"meta": {"latest_monkey_modifytime": Monkey.get_latest_modifytime()},
|
||||||
"name": REPORT_NAME,
|
"name": REPORT_NAME,
|
||||||
}
|
}
|
||||||
for tech_id, tech_info in list(AttackConfig.get_techniques_for_report().items()):
|
for tech_id, tech_info in list(AttackReportService.get_techniques_for_report().items()):
|
||||||
try:
|
try:
|
||||||
technique_report_data = TECHNIQUES[tech_id].get_report_data()
|
technique_report_data = TECHNIQUES[tech_id].get_report_data()
|
||||||
technique_report_data.update(tech_info)
|
technique_report_data.update(tech_info)
|
||||||
|
@ -146,3 +146,17 @@ class AttackReportService:
|
||||||
raise RuntimeError(
|
raise RuntimeError(
|
||||||
"Attack Report cache not cleared. DeleteResult: " + delete_result.raw_result
|
"Attack Report cache not cleared. DeleteResult: " + delete_result.raw_result
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def get_techniques_for_report():
|
||||||
|
"""
|
||||||
|
:return: Format: {"T1110": {"type": "Credential Access", "T1075": ...}
|
||||||
|
"""
|
||||||
|
attack_config = SCHEMA["properties"]
|
||||||
|
techniques = {}
|
||||||
|
for type_name, attack_type in list(attack_config.items()):
|
||||||
|
for key, technique in list(attack_type["properties"].items()):
|
||||||
|
techniques[key] = {
|
||||||
|
"type": SCHEMA["properties"][type_name]["title"],
|
||||||
|
}
|
||||||
|
return techniques
|
||||||
|
|
|
@ -10,8 +10,6 @@ SCHEMA = {
|
||||||
"T1059": {
|
"T1059": {
|
||||||
"title": "Command line interface",
|
"title": "Command line interface",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1059",
|
"link": "https://attack.mitre.org/techniques/T1059",
|
||||||
"description": "Adversaries may use command-line interfaces to interact with "
|
"description": "Adversaries may use command-line interfaces to interact with "
|
||||||
"systems "
|
"systems "
|
||||||
|
@ -20,8 +18,6 @@ SCHEMA = {
|
||||||
"T1106": {
|
"T1106": {
|
||||||
"title": "Execution through API",
|
"title": "Execution through API",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1106",
|
"link": "https://attack.mitre.org/techniques/T1106",
|
||||||
"description": "Adversary tools may directly use the Windows application "
|
"description": "Adversary tools may directly use the Windows application "
|
||||||
"programming interface (API) to execute binaries.",
|
"programming interface (API) to execute binaries.",
|
||||||
|
@ -30,8 +26,6 @@ SCHEMA = {
|
||||||
"T1086": {
|
"T1086": {
|
||||||
"title": "PowerShell",
|
"title": "PowerShell",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1086",
|
"link": "https://attack.mitre.org/techniques/T1086",
|
||||||
"description": "Adversaries can use PowerShell to perform a number of actions,"
|
"description": "Adversaries can use PowerShell to perform a number of actions,"
|
||||||
" including discovery of information and execution of code.",
|
" including discovery of information and execution of code.",
|
||||||
|
@ -39,8 +33,6 @@ SCHEMA = {
|
||||||
"T1064": {
|
"T1064": {
|
||||||
"title": "Scripting",
|
"title": "Scripting",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1064",
|
"link": "https://attack.mitre.org/techniques/T1064",
|
||||||
"description": "Adversaries may use scripts to aid in operations and "
|
"description": "Adversaries may use scripts to aid in operations and "
|
||||||
"perform multiple actions that would otherwise be manual.",
|
"perform multiple actions that would otherwise be manual.",
|
||||||
|
@ -48,8 +40,6 @@ SCHEMA = {
|
||||||
"T1035": {
|
"T1035": {
|
||||||
"title": "Service execution",
|
"title": "Service execution",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1035",
|
"link": "https://attack.mitre.org/techniques/T1035",
|
||||||
"description": "Adversaries may execute a binary, command, or script via a "
|
"description": "Adversaries may execute a binary, command, or script via a "
|
||||||
"method "
|
"method "
|
||||||
|
@ -60,8 +50,6 @@ SCHEMA = {
|
||||||
"T1154": {
|
"T1154": {
|
||||||
"title": "Trap",
|
"title": "Trap",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1154",
|
"link": "https://attack.mitre.org/techniques/T1154",
|
||||||
"description": "Adversaries can use the trap command to register code to be "
|
"description": "Adversaries can use the trap command to register code to be "
|
||||||
"executed "
|
"executed "
|
||||||
|
@ -77,8 +65,6 @@ SCHEMA = {
|
||||||
"T1156": {
|
"T1156": {
|
||||||
"title": ".bash_profile and .bashrc",
|
"title": ".bash_profile and .bashrc",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1156",
|
"link": "https://attack.mitre.org/techniques/T1156",
|
||||||
"description": "Adversaries may abuse shell scripts by "
|
"description": "Adversaries may abuse shell scripts by "
|
||||||
"inserting arbitrary shell commands to gain persistence, which "
|
"inserting arbitrary shell commands to gain persistence, which "
|
||||||
|
@ -89,8 +75,6 @@ SCHEMA = {
|
||||||
"T1136": {
|
"T1136": {
|
||||||
"title": "Create account",
|
"title": "Create account",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1136",
|
"link": "https://attack.mitre.org/techniques/T1136",
|
||||||
"description": "Adversaries with a sufficient level of access "
|
"description": "Adversaries with a sufficient level of access "
|
||||||
"may create a local system, domain, or cloud tenant account.",
|
"may create a local system, domain, or cloud tenant account.",
|
||||||
|
@ -98,8 +82,6 @@ SCHEMA = {
|
||||||
"T1158": {
|
"T1158": {
|
||||||
"title": "Hidden files and directories",
|
"title": "Hidden files and directories",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1158",
|
"link": "https://attack.mitre.org/techniques/T1158",
|
||||||
"description": "Adversaries can hide files and folders on the system "
|
"description": "Adversaries can hide files and folders on the system "
|
||||||
"and evade a typical user or system analysis that does not "
|
"and evade a typical user or system analysis that does not "
|
||||||
|
@ -108,8 +90,6 @@ SCHEMA = {
|
||||||
"T1168": {
|
"T1168": {
|
||||||
"title": "Local job scheduling",
|
"title": "Local job scheduling",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1168/",
|
"link": "https://attack.mitre.org/techniques/T1168/",
|
||||||
"description": "Linux supports multiple methods for creating pre-scheduled and "
|
"description": "Linux supports multiple methods for creating pre-scheduled and "
|
||||||
"periodic background jobs. Job scheduling can be used by "
|
"periodic background jobs. Job scheduling can be used by "
|
||||||
|
@ -121,8 +101,6 @@ SCHEMA = {
|
||||||
"T1504": {
|
"T1504": {
|
||||||
"title": "PowerShell profile",
|
"title": "PowerShell profile",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1504",
|
"link": "https://attack.mitre.org/techniques/T1504",
|
||||||
"description": "Adversaries may gain persistence and elevate privileges "
|
"description": "Adversaries may gain persistence and elevate privileges "
|
||||||
"in certain situations by abusing PowerShell profiles which "
|
"in certain situations by abusing PowerShell profiles which "
|
||||||
|
@ -132,8 +110,6 @@ SCHEMA = {
|
||||||
"T1053": {
|
"T1053": {
|
||||||
"title": "Scheduled task",
|
"title": "Scheduled task",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1053",
|
"link": "https://attack.mitre.org/techniques/T1053",
|
||||||
"description": "Windows utilities can be used to schedule programs or scripts "
|
"description": "Windows utilities can be used to schedule programs or scripts "
|
||||||
"to "
|
"to "
|
||||||
|
@ -146,8 +122,6 @@ SCHEMA = {
|
||||||
"T1166": {
|
"T1166": {
|
||||||
"title": "Setuid and Setgid",
|
"title": "Setuid and Setgid",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1166",
|
"link": "https://attack.mitre.org/techniques/T1166",
|
||||||
"description": "Adversaries can set the setuid or setgid bits to get code "
|
"description": "Adversaries can set the setuid or setgid bits to get code "
|
||||||
"running in "
|
"running in "
|
||||||
|
@ -163,8 +137,6 @@ SCHEMA = {
|
||||||
"T1197": {
|
"T1197": {
|
||||||
"title": "BITS jobs",
|
"title": "BITS jobs",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1197",
|
"link": "https://attack.mitre.org/techniques/T1197",
|
||||||
"description": "Adversaries may abuse BITS to download, execute, "
|
"description": "Adversaries may abuse BITS to download, execute, "
|
||||||
"and even clean up after running malicious code.",
|
"and even clean up after running malicious code.",
|
||||||
|
@ -172,8 +144,6 @@ SCHEMA = {
|
||||||
"T1146": {
|
"T1146": {
|
||||||
"title": "Clear command history",
|
"title": "Clear command history",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": False,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1146",
|
"link": "https://attack.mitre.org/techniques/T1146",
|
||||||
"description": "Adversaries may clear/disable command history of a compromised "
|
"description": "Adversaries may clear/disable command history of a compromised "
|
||||||
"account to conceal the actions undertaken during an intrusion.",
|
"account to conceal the actions undertaken during an intrusion.",
|
||||||
|
@ -181,8 +151,6 @@ SCHEMA = {
|
||||||
"T1107": {
|
"T1107": {
|
||||||
"title": "File Deletion",
|
"title": "File Deletion",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1107",
|
"link": "https://attack.mitre.org/techniques/T1107",
|
||||||
"description": "Adversaries may remove files over the course of an intrusion "
|
"description": "Adversaries may remove files over the course of an intrusion "
|
||||||
"to keep their footprint low or remove them at the end as part "
|
"to keep their footprint low or remove them at the end as part "
|
||||||
|
@ -191,8 +159,6 @@ SCHEMA = {
|
||||||
"T1222": {
|
"T1222": {
|
||||||
"title": "File permissions modification",
|
"title": "File permissions modification",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1222",
|
"link": "https://attack.mitre.org/techniques/T1222",
|
||||||
"description": "Adversaries may modify file permissions/attributes to evade "
|
"description": "Adversaries may modify file permissions/attributes to evade "
|
||||||
"intended DACLs.",
|
"intended DACLs.",
|
||||||
|
@ -200,8 +166,6 @@ SCHEMA = {
|
||||||
"T1099": {
|
"T1099": {
|
||||||
"title": "Timestomping",
|
"title": "Timestomping",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1099",
|
"link": "https://attack.mitre.org/techniques/T1099",
|
||||||
"description": "Adversaries may modify file time attributes to hide "
|
"description": "Adversaries may modify file time attributes to hide "
|
||||||
"new/changes to existing "
|
"new/changes to existing "
|
||||||
|
@ -211,8 +175,6 @@ SCHEMA = {
|
||||||
"T1216": {
|
"T1216": {
|
||||||
"title": "Signed script proxy execution",
|
"title": "Signed script proxy execution",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": False,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1216",
|
"link": "https://attack.mitre.org/techniques/T1216",
|
||||||
"description": "Adversaries may use scripts signed with trusted certificates "
|
"description": "Adversaries may use scripts signed with trusted certificates "
|
||||||
"to proxy execution of malicious files on Windows systems. This behavior could "
|
"to proxy execution of malicious files on Windows systems. This behavior could "
|
||||||
|
@ -229,8 +191,6 @@ SCHEMA = {
|
||||||
"T1110": {
|
"T1110": {
|
||||||
"title": "Brute force",
|
"title": "Brute force",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1110",
|
"link": "https://attack.mitre.org/techniques/T1110",
|
||||||
"description": "Adversaries may use brute force techniques to attempt access "
|
"description": "Adversaries may use brute force techniques to attempt access "
|
||||||
"to accounts "
|
"to accounts "
|
||||||
|
@ -241,8 +201,6 @@ SCHEMA = {
|
||||||
"T1003": {
|
"T1003": {
|
||||||
"title": "Credential dumping",
|
"title": "Credential dumping",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1003",
|
"link": "https://attack.mitre.org/techniques/T1003",
|
||||||
"description": "Mapped with T1078 Valid Accounts because "
|
"description": "Mapped with T1078 Valid Accounts because "
|
||||||
"both techniques require"
|
"both techniques require"
|
||||||
|
@ -257,8 +215,6 @@ SCHEMA = {
|
||||||
"T1145": {
|
"T1145": {
|
||||||
"title": "Private keys",
|
"title": "Private keys",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1145",
|
"link": "https://attack.mitre.org/techniques/T1145",
|
||||||
"description": "Adversaries may gather private keys from compromised systems "
|
"description": "Adversaries may gather private keys from compromised systems "
|
||||||
"for use in "
|
"for use in "
|
||||||
|
@ -277,8 +233,6 @@ SCHEMA = {
|
||||||
"T1087": {
|
"T1087": {
|
||||||
"title": "Account Discovery",
|
"title": "Account Discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1087",
|
"link": "https://attack.mitre.org/techniques/T1087",
|
||||||
"description": "Adversaries may attempt to get a listing of accounts on a "
|
"description": "Adversaries may attempt to get a listing of accounts on a "
|
||||||
"system or "
|
"system or "
|
||||||
|
@ -289,8 +243,6 @@ SCHEMA = {
|
||||||
"T1018": {
|
"T1018": {
|
||||||
"title": "Remote System Discovery",
|
"title": "Remote System Discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1018",
|
"link": "https://attack.mitre.org/techniques/T1018",
|
||||||
"description": "Adversaries will likely attempt to get a listing of other "
|
"description": "Adversaries will likely attempt to get a listing of other "
|
||||||
"systems by IP address, "
|
"systems by IP address, "
|
||||||
|
@ -300,8 +252,6 @@ SCHEMA = {
|
||||||
"T1082": {
|
"T1082": {
|
||||||
"title": "System information discovery",
|
"title": "System information discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1082",
|
"link": "https://attack.mitre.org/techniques/T1082",
|
||||||
"depends_on": ["T1016", "T1005"],
|
"depends_on": ["T1016", "T1005"],
|
||||||
"description": "An adversary may attempt to get detailed information about the "
|
"description": "An adversary may attempt to get detailed information about the "
|
||||||
|
@ -312,8 +262,6 @@ SCHEMA = {
|
||||||
"T1016": {
|
"T1016": {
|
||||||
"title": "System network configuration discovery",
|
"title": "System network configuration discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1016",
|
"link": "https://attack.mitre.org/techniques/T1016",
|
||||||
"depends_on": ["T1005", "T1082"],
|
"depends_on": ["T1005", "T1082"],
|
||||||
"description": "Adversaries will likely look for details about the network "
|
"description": "Adversaries will likely look for details about the network "
|
||||||
|
@ -332,8 +280,6 @@ SCHEMA = {
|
||||||
"T1210": {
|
"T1210": {
|
||||||
"title": "Exploitation of Remote services",
|
"title": "Exploitation of Remote services",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1210",
|
"link": "https://attack.mitre.org/techniques/T1210",
|
||||||
"description": "Exploitation of a software vulnerability occurs when an "
|
"description": "Exploitation of a software vulnerability occurs when an "
|
||||||
"adversary "
|
"adversary "
|
||||||
|
@ -345,8 +291,6 @@ SCHEMA = {
|
||||||
"T1075": {
|
"T1075": {
|
||||||
"title": "Pass the hash",
|
"title": "Pass the hash",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1075",
|
"link": "https://attack.mitre.org/techniques/T1075",
|
||||||
"description": "Pass the hash (PtH) is a method of authenticating as a user "
|
"description": "Pass the hash (PtH) is a method of authenticating as a user "
|
||||||
"without "
|
"without "
|
||||||
|
@ -355,8 +299,6 @@ SCHEMA = {
|
||||||
"T1105": {
|
"T1105": {
|
||||||
"title": "Remote file copy",
|
"title": "Remote file copy",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1105",
|
"link": "https://attack.mitre.org/techniques/T1105",
|
||||||
"description": "Files may be copied from one system to another to stage "
|
"description": "Files may be copied from one system to another to stage "
|
||||||
"adversary tools or other files over the course of an operation.",
|
"adversary tools or other files over the course of an operation.",
|
||||||
|
@ -364,8 +306,6 @@ SCHEMA = {
|
||||||
"T1021": {
|
"T1021": {
|
||||||
"title": "Remote services",
|
"title": "Remote services",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1021",
|
"link": "https://attack.mitre.org/techniques/T1021",
|
||||||
"depends_on": ["T1110"],
|
"depends_on": ["T1110"],
|
||||||
"description": "An adversary may use Valid Accounts to log into a service"
|
"description": "An adversary may use Valid Accounts to log into a service"
|
||||||
|
@ -381,8 +321,6 @@ SCHEMA = {
|
||||||
"T1005": {
|
"T1005": {
|
||||||
"title": "Data from local system",
|
"title": "Data from local system",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": False,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1005",
|
"link": "https://attack.mitre.org/techniques/T1005",
|
||||||
"depends_on": ["T1016", "T1082"],
|
"depends_on": ["T1016", "T1082"],
|
||||||
"description": "Sensitive data can be collected from local system sources, "
|
"description": "Sensitive data can be collected from local system sources, "
|
||||||
|
@ -400,8 +338,6 @@ SCHEMA = {
|
||||||
"T1090": {
|
"T1090": {
|
||||||
"title": "Connection proxy",
|
"title": "Connection proxy",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1090",
|
"link": "https://attack.mitre.org/techniques/T1090",
|
||||||
"description": "A connection proxy is used to direct network traffic between "
|
"description": "A connection proxy is used to direct network traffic between "
|
||||||
"systems "
|
"systems "
|
||||||
|
@ -410,8 +346,6 @@ SCHEMA = {
|
||||||
"T1065": {
|
"T1065": {
|
||||||
"title": "Uncommonly used port",
|
"title": "Uncommonly used port",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1065",
|
"link": "https://attack.mitre.org/techniques/T1065",
|
||||||
"description": "Adversaries may conduct C2 communications over a non-standard "
|
"description": "Adversaries may conduct C2 communications over a non-standard "
|
||||||
"port to bypass proxies and firewalls that have been improperly "
|
"port to bypass proxies and firewalls that have been improperly "
|
||||||
|
@ -420,8 +354,6 @@ SCHEMA = {
|
||||||
"T1188": {
|
"T1188": {
|
||||||
"title": "Multi-hop proxy",
|
"title": "Multi-hop proxy",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1188",
|
"link": "https://attack.mitre.org/techniques/T1188",
|
||||||
"description": "To disguise the source of malicious traffic, "
|
"description": "To disguise the source of malicious traffic, "
|
||||||
"adversaries may chain together multiple proxies.",
|
"adversaries may chain together multiple proxies.",
|
||||||
|
@ -436,8 +368,6 @@ SCHEMA = {
|
||||||
"T1041": {
|
"T1041": {
|
||||||
"title": "Exfiltration Over Command and Control Channel",
|
"title": "Exfiltration Over Command and Control Channel",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
|
||||||
"necessary": True,
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1041",
|
"link": "https://attack.mitre.org/techniques/T1041",
|
||||||
"description": "Data exfiltration is performed over the Command and Control "
|
"description": "Data exfiltration is performed over the Command and Control "
|
||||||
"channel.",
|
"channel.",
|
||||||
|
|
|
@ -35,7 +35,6 @@ class T1003(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1003.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
if mongo.db.telemetry.count_documents(T1003.query):
|
if mongo.db.telemetry.count_documents(T1003.query):
|
||||||
status = ScanStatus.USED.value
|
status = ScanStatus.USED.value
|
||||||
|
|
|
@ -36,7 +36,6 @@ class T1016(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1016.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
network_info = list(mongo.db.telemetry.aggregate(T1016.query))
|
network_info = list(mongo.db.telemetry.aggregate(T1016.query))
|
||||||
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
|
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
|
||||||
|
|
|
@ -40,7 +40,6 @@ class T1018(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1018.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
scan_info = list(mongo.db.telemetry.aggregate(T1018.query))
|
scan_info = list(mongo.db.telemetry.aggregate(T1018.query))
|
||||||
if scan_info:
|
if scan_info:
|
||||||
|
|
|
@ -35,7 +35,6 @@ class T1021(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1021.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
attempts = []
|
attempts = []
|
||||||
if mongo.db.telemetry.count_documents(T1021.scanned_query):
|
if mongo.db.telemetry.count_documents(T1021.scanned_query):
|
||||||
|
|
|
@ -12,7 +12,6 @@ class T1041(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1041.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
monkeys = list(Monkey.objects())
|
monkeys = list(Monkey.objects())
|
||||||
info = [
|
info = [
|
||||||
|
|
|
@ -26,7 +26,6 @@ class T1059(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1059.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
||||||
if cmd_data:
|
if cmd_data:
|
||||||
|
|
|
@ -51,7 +51,6 @@ class T1075(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1075.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
|
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
|
||||||
if successful_logins:
|
if successful_logins:
|
||||||
|
|
|
@ -64,7 +64,6 @@ class T1082(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1082.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||||
if system_info:
|
if system_info:
|
||||||
|
|
|
@ -60,7 +60,6 @@ class T1086(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1086.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
exploit_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
|
exploit_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
|
||||||
pba_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_pbas))
|
pba_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_pbas))
|
||||||
|
|
|
@ -12,7 +12,6 @@ class T1090(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1090.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
monkeys = Monkey.get_tunneled_monkeys()
|
monkeys = Monkey.get_tunneled_monkeys()
|
||||||
monkeys = [monkey.get_network_info() for monkey in monkeys]
|
monkeys = [monkey.get_network_info() for monkey in monkeys]
|
||||||
|
|
|
@ -33,7 +33,6 @@ class T1110(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1110.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
attempts = list(mongo.db.telemetry.aggregate(T1110.query))
|
attempts = list(mongo.db.telemetry.aggregate(T1110.query))
|
||||||
succeeded = False
|
succeeded = False
|
||||||
|
|
|
@ -29,7 +29,6 @@ class T1145(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1145.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
||||||
if ssh_info:
|
if ssh_info:
|
||||||
|
|
|
@ -12,7 +12,6 @@ class T1188(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1188.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
monkeys = Monkey.get_tunneled_monkeys()
|
monkeys = Monkey.get_tunneled_monkeys()
|
||||||
hops = []
|
hops = []
|
||||||
|
|
|
@ -16,7 +16,6 @@ class T1210(AttackTechnique):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
@T1210.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
scanned_services = T1210.get_scanned_services()
|
scanned_services = T1210.get_scanned_services()
|
||||||
exploited_services = T1210.get_exploited_services()
|
exploited_services = T1210.get_exploited_services()
|
||||||
|
@ -30,9 +29,7 @@ class T1210(AttackTechnique):
|
||||||
|
|
||||||
status_and_data = get_technique_status_and_data()
|
status_and_data = get_technique_status_and_data()
|
||||||
status = status_and_data[0]
|
status = status_and_data[0]
|
||||||
if status == ScanStatus.DISABLED.value:
|
|
||||||
scanned_services, exploited_services = [], []
|
|
||||||
else:
|
|
||||||
scanned_services, exploited_services = status_and_data[1], status_and_data[2]
|
scanned_services, exploited_services = status_and_data[1], status_and_data[2]
|
||||||
data = {"title": T1210.technique_title()}
|
data = {"title": T1210.technique_title()}
|
||||||
|
|
||||||
|
|
|
@ -6,19 +6,14 @@ from common.utils.attack_utils import ScanStatus
|
||||||
from common.utils.code_utils import abstractstatic
|
from common.utils.code_utils import abstractstatic
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations
|
from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations
|
||||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
|
||||||
from monkey_island.cc.services.config_schema.config_schema import SCHEMA
|
from monkey_island.cc.services.config_schema.config_schema import SCHEMA
|
||||||
|
from monkey_island.cc.services.attack.attack_schema import SCHEMA as ATTACK_SCHEMA
|
||||||
from monkey_island.cc.services.config_schema.config_schema_per_attack_technique import (
|
from monkey_island.cc.services.config_schema.config_schema_per_attack_technique import (
|
||||||
ConfigSchemaPerAttackTechnique,
|
ConfigSchemaPerAttackTechnique,
|
||||||
)
|
)
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
disabled_msg = (
|
|
||||||
"This technique has been disabled. "
|
|
||||||
+ "You can enable it from the [configuration page](../../configure)."
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class AttackTechnique(object, metaclass=abc.ABCMeta):
|
class AttackTechnique(object, metaclass=abc.ABCMeta):
|
||||||
""" Abstract class for ATT&CK report components """
|
""" Abstract class for ATT&CK report components """
|
||||||
|
@ -81,9 +76,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
||||||
Gets the status of a certain attack technique.
|
Gets the status of a certain attack technique.
|
||||||
:return: ScanStatus numeric value
|
:return: ScanStatus numeric value
|
||||||
"""
|
"""
|
||||||
if not cls._is_enabled_in_config():
|
if mongo.db.telemetry.find_one(
|
||||||
return ScanStatus.DISABLED.value
|
|
||||||
elif mongo.db.telemetry.find_one(
|
|
||||||
{
|
{
|
||||||
"telem_category": "attack",
|
"telem_category": "attack",
|
||||||
"data.status": ScanStatus.USED.value,
|
"data.status": ScanStatus.USED.value,
|
||||||
|
@ -118,8 +111,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
||||||
:param status: Enum from common/attack_utils.py integer value
|
:param status: Enum from common/attack_utils.py integer value
|
||||||
:return: message string
|
:return: message string
|
||||||
"""
|
"""
|
||||||
if status == ScanStatus.DISABLED.value:
|
|
||||||
return disabled_msg
|
|
||||||
if status == ScanStatus.UNSCANNED.value:
|
if status == ScanStatus.UNSCANNED.value:
|
||||||
if not cls.config_schema_per_attack_technique:
|
if not cls.config_schema_per_attack_technique:
|
||||||
cls.config_schema_per_attack_technique = (
|
cls.config_schema_per_attack_technique = (
|
||||||
|
@ -172,7 +163,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
||||||
"""
|
"""
|
||||||
:return: techniques title. E.g. "T1110 Brute force"
|
:return: techniques title. E.g. "T1110 Brute force"
|
||||||
"""
|
"""
|
||||||
return AttackConfig.get_technique(cls.tech_id)["title"]
|
return get_technique(cls.tech_id)["title"]
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def get_tech_base_data(cls):
|
def get_tech_base_data(cls):
|
||||||
|
@ -205,17 +196,16 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
||||||
else:
|
else:
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def is_status_disabled(cls, get_technique_status_and_data) -> bool:
|
|
||||||
def check_if_disabled_in_config():
|
|
||||||
return (
|
|
||||||
(ScanStatus.DISABLED.value, [])
|
|
||||||
if not cls._is_enabled_in_config()
|
|
||||||
else get_technique_status_and_data()
|
|
||||||
)
|
|
||||||
|
|
||||||
return check_if_disabled_in_config
|
def get_technique(technique_id):
|
||||||
|
"""
|
||||||
@classmethod
|
Gets technique by id
|
||||||
def _is_enabled_in_config(cls) -> bool:
|
:param technique_id: E.g. T1210
|
||||||
return AttackConfig.get_technique_values()[cls.tech_id]
|
:return: Technique object or None if technique is not found
|
||||||
|
"""
|
||||||
|
attack_config = ATTACK_SCHEMA["properties"]
|
||||||
|
for config_key, attack_type in list(attack_config.items()):
|
||||||
|
for type_key, technique in list(attack_type["properties"].items()):
|
||||||
|
if type_key == technique_id:
|
||||||
|
return technique
|
||||||
|
return None
|
||||||
|
|
|
@ -54,7 +54,6 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
||||||
:return: Technique's report data aggregated from the database
|
:return: Technique's report data aggregated from the database
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@cls.is_status_disabled
|
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
info = list(
|
info = list(
|
||||||
mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names, cls.relevant_systems))
|
mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names, cls.relevant_systems))
|
||||||
|
|
|
@ -4,7 +4,6 @@ from flask import jsonify
|
||||||
|
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations
|
from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations
|
||||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
|
||||||
from monkey_island.cc.services.config import ConfigService
|
from monkey_island.cc.services.config import ConfigService
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
@ -24,7 +23,6 @@ class Database(object):
|
||||||
if not x.startswith("system.") and not x == AttackMitigations.COLLECTION_NAME
|
if not x.startswith("system.") and not x == AttackMitigations.COLLECTION_NAME
|
||||||
]
|
]
|
||||||
ConfigService.init_config()
|
ConfigService.init_config()
|
||||||
AttackConfig.reset_config()
|
|
||||||
logger.info("DB was reset")
|
logger.info("DB was reset")
|
||||||
return jsonify(status="OK")
|
return jsonify(status="OK")
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue