Merge pull request #693 from shreyamalviya/mongo-search-T1136
Use mongo search for T1136's report data
This commit is contained in:
commit
8c255ece06
|
@ -1,5 +1,5 @@
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
from monkey_island.cc.services.reporting.report import ReportService
|
from monkey_island.cc.database import mongo
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER
|
from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||||
|
|
||||||
|
@ -12,27 +12,27 @@ class T1136(AttackTechnique):
|
||||||
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
|
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
|
||||||
used_msg = "Monkey created a new user on the network's systems."
|
used_msg = "Monkey created a new user on the network's systems."
|
||||||
|
|
||||||
|
query = [{'$match': {'telem_category': 'post_breach',
|
||||||
|
'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
|
||||||
|
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
|
||||||
|
{'$project': {'_id': 0,
|
||||||
|
'machine': {'hostname': '$data.hostname',
|
||||||
|
'ips': ['$data.ip']},
|
||||||
|
'result': '$data.result'}}]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
data = {'title': T1136.technique_title()}
|
data = {'title': T1136.technique_title()}
|
||||||
|
|
||||||
scanned_nodes = ReportService.get_scanned()
|
create_user_info = list(mongo.db.telemetry.aggregate(T1136.query))
|
||||||
|
|
||||||
status = ScanStatus.UNSCANNED.value
|
status = ScanStatus.UNSCANNED.value
|
||||||
for node in scanned_nodes:
|
if create_user_info:
|
||||||
if node['pba_results'] != 'None':
|
successful_PBAs = mongo.db.telemetry.count({'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
|
||||||
for pba in node['pba_results']:
|
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}],
|
||||||
if pba['name'] in [POST_BREACH_BACKDOOR_USER,
|
'data.result.1': True})
|
||||||
POST_BREACH_COMMUNICATE_AS_NEW_USER]:
|
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||||
status = ScanStatus.USED.value if pba['result'][1]\
|
|
||||||
else ScanStatus.SCANNED.value
|
|
||||||
data.update({
|
|
||||||
'info': [{
|
|
||||||
'machine': {
|
|
||||||
'hostname': pba['hostname'],
|
|
||||||
'ips': node['ip_addresses'],
|
|
||||||
},
|
|
||||||
'result': ': '.join([pba['name'], pba['result'][0]])
|
|
||||||
}]
|
|
||||||
})
|
|
||||||
data.update(T1136.get_base_data_by_status(status))
|
data.update(T1136.get_base_data_by_status(status))
|
||||||
|
data.update({'info': create_user_info})
|
||||||
return data
|
return data
|
||||||
|
|
Loading…
Reference in New Issue