p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Merge pull request #693 from shreyamalviya/mongo-search-T1136 

Use mongo search for T1136's report data
This commit is contained in:
Shreya Malviya 2020-07-13 19:06:35 +05:30 committed by GitHub
parent 37a93e78f9 e12374b7d3
commit 8c255ece06
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
View File

@ -1,5 +1,5 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.reporting.report import ReportService from monkey_island.cc.database import mongo
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER
@ -12,27 +12,27 @@ class T1136(AttackTechnique):
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed." scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
used_msg = "Monkey created a new user on the network's systems." used_msg = "Monkey created a new user on the network's systems."
query = [{'$match': {'telem_category': 'post_breach',
'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'result': '$data.result'}}]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1136.technique_title()} data = {'title': T1136.technique_title()}
scanned_nodes = ReportService.get_scanned() create_user_info = list(mongo.db.telemetry.aggregate(T1136.query))
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
for node in scanned_nodes: if create_user_info:
if node['pba_results'] != 'None': successful_PBAs = mongo.db.telemetry.count({'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
for pba in node['pba_results']: {'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}],
if pba['name'] in [POST_BREACH_BACKDOOR_USER, 'data.result.1': True})
POST_BREACH_COMMUNICATE_AS_NEW_USER]: status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
status = ScanStatus.USED.value if pba['result'][1]\
else ScanStatus.SCANNED.value data.update(T1136.get_base_data_by_status(status))
data.update({ data.update({'info': create_user_info})
'info': [{
'machine': {
'hostname': pba['hostname'],
'ips': node['ip_addresses'],
},
'result': ': '.join([pba['name'], pba['result'][0]])
}]
})
data.update(T1136.get_base_data_by_status(status))
return data return data