Island: Modify T1082's reporting to get data from process collection PBA too
This commit is contained in:
Shreya Malviya
parent
417f40d62d
commit
547d4fce54
|
|
@ -1,3 +1,4 @@
|
||||||
|
from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
|
|
@ -9,14 +10,16 @@ class T1082(AttackTechnique):
|
||||||
unscanned_msg = "Monkey didn't gather any system info on the network."
|
unscanned_msg = "Monkey didn't gather any system info on the network."
|
||||||
scanned_msg = ""
|
scanned_msg = ""
|
||||||
used_msg = "Monkey gathered system info from machines in the network."
|
used_msg = "Monkey gathered system info from machines in the network."
|
||||||
|
# TODO: Remove the second item from this list after the TODO in `_run_pba()` in
|
||||||
|
# `automated_master.py` is resolved.
|
||||||
|
pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"]
|
||||||
|
|
||||||
query = [
|
query_for_system_info_collectors = [
|
||||||
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
||||||
{
|
{
|
||||||
"$project": {
|
"$project": {
|
||||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
||||||
"aws": "$data.aws",
|
"aws": "$data.aws",
|
||||||
"process_list": "$data.process_list",
|
|
||||||
"ssh_info": "$data.ssh_info",
|
"ssh_info": "$data.ssh_info",
|
||||||
"azure_info": "$data.Azure",
|
"azure_info": "$data.Azure",
|
||||||
}
|
}
|
||||||
|
|
@ -30,15 +33,6 @@ class T1082(AttackTechnique):
|
||||||
"used": {"$and": [{"$gt": ["$aws", {}]}]},
|
"used": {"$and": [{"$gt": ["$aws", {}]}]},
|
||||||
"name": {"$literal": "Amazon Web Services info"},
|
"name": {"$literal": "Amazon Web Services info"},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"used": {
|
|
||||||
"$and": [
|
|
||||||
{"$ifNull": ["$process_list", False]},
|
|
||||||
{"$gt": ["$process_list", {}]},
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"name": {"$literal": "Running process list"},
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"used": {
|
"used": {
|
||||||
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
|
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
|
||||||
|
|
@ -62,19 +56,51 @@ class T1082(AttackTechnique):
|
||||||
{"$replaceRoot": {"newRoot": "$_id"}},
|
{"$replaceRoot": {"newRoot": "$_id"}},
|
||||||
]
|
]
|
||||||
|
|
||||||
|
query_for_pbas = [
|
||||||
|
{
|
||||||
|
"$match": {
|
||||||
|
"$and": [
|
||||||
|
{"telem_category": "post_breach"},
|
||||||
|
{"$or": [{"data.name": pba_name} for pba_name in pba_names]},
|
||||||
|
{"$or": [{"data.os": os} for os in relevant_systems]},
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"$project": {
|
||||||
|
"_id": 0,
|
||||||
|
"machine": {
|
||||||
|
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
||||||
|
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
||||||
|
},
|
||||||
|
"collections": [
|
||||||
|
{
|
||||||
|
"used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]},
|
||||||
|
"name": {"$literal": "List of running processes"},
|
||||||
|
}
|
||||||
|
],
|
||||||
|
}
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
system_info_data = list(
|
||||||
if system_info:
|
mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors)
|
||||||
|
)
|
||||||
|
pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_pbas))
|
||||||
|
technique_data = system_info_data + pba_data
|
||||||
|
|
||||||
|
if technique_data:
|
||||||
status = ScanStatus.USED.value
|
status = ScanStatus.USED.value
|
||||||
else:
|
else:
|
||||||
status = ScanStatus.UNSCANNED.value
|
status = ScanStatus.UNSCANNED.value
|
||||||
return (status, system_info)
|
return (status, technique_data)
|
||||||
|
|
||||||
status, system_info = get_technique_status_and_data()
|
status, technique_data = get_technique_status_and_data()
|
||||||
data = {"title": T1082.technique_title()}
|
data = {"title": T1082.technique_title()}
|
||||||
data.update({"system_info": system_info})
|
data.update({"technique_data": technique_data})
|
||||||
|
|
||||||
data.update(T1082.get_mitigation_by_status(status))
|
data.update(T1082.get_mitigation_by_status(status))
|
||||||
data.update(T1082.get_message_and_status(status))
|
data.update(T1082.get_message_and_status(status))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue