diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py index f5844e2c0..f792a2082 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py @@ -19,10 +19,15 @@ class T1003(AttackTechnique): @staticmethod def get_report_data(): data = {'title': T1003.technique_title()} - if mongo.db.telemetry.count_documents(T1003.query): - status = ScanStatus.USED.value + + if not T1003.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + if mongo.db.telemetry.count_documents(T1003.query): + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value + data.update(T1003.get_message_and_status(status)) data.update(T1003.get_mitigation_by_status(status)) data['stolen_creds'] = ReportService.get_stolen_creds() diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py index cfda065f1..332393b15 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py @@ -27,8 +27,14 @@ class T1016(AttackTechnique): @staticmethod def get_report_data(): - network_info = list(mongo.db.telemetry.aggregate(T1016.query)) - status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value + network_info = [] + + if not T1016.is_enabled_in_config(): + status = ScanStatus.DISABLED.value + else: + network_info = list(mongo.db.telemetry.aggregate(T1016.query)) + status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value + data = T1016.get_base_data_by_status(status) data.update({'network_info': network_info}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1018.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1018.py index 65972265d..93c546573 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1018.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1018.py @@ -28,11 +28,17 @@ class T1018(AttackTechnique): @staticmethod def get_report_data(): - scan_info = list(mongo.db.telemetry.aggregate(T1018.query)) - if scan_info: - status = ScanStatus.USED.value + scan_info = [] + + if not T1018.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + scan_info = list(mongo.db.telemetry.aggregate(T1018.query)) + if scan_info: + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value + data = T1018.get_base_data_by_status(status) data.update({'scan_info': scan_info}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1021.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1021.py index f197724dd..ac6a7ac0b 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1021.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1021.py @@ -34,18 +34,23 @@ class T1021(AttackTechnique): @staticmethod def get_report_data(): attempts = [] - if mongo.db.telemetry.count_documents(T1021.scanned_query): - attempts = list(mongo.db.telemetry.aggregate(T1021.query)) - if attempts: - status = ScanStatus.USED.value - for result in attempts: - result['successful_creds'] = [] - for attempt in result['attempts']: - result['successful_creds'].append(parse_creds(attempt)) - else: - status = ScanStatus.SCANNED.value + + if not T1021.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + if mongo.db.telemetry.count_documents(T1021.scanned_query): + attempts = list(mongo.db.telemetry.aggregate(T1021.query)) + if attempts: + status = ScanStatus.USED.value + for result in attempts: + result['successful_creds'] = [] + for attempt in result['attempts']: + result['successful_creds'].append(parse_creds(attempt)) + else: + status = ScanStatus.SCANNED.value + else: + status = ScanStatus.UNSCANNED.value + data = T1021.get_base_data_by_status(status) data.update({'services': attempts}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1041.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1041.py index 737004111..46738a799 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1041.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1041.py @@ -13,14 +13,20 @@ class T1041(AttackTechnique): @staticmethod def get_report_data(): - monkeys = list(Monkey.objects()) - info = [{'src': monkey['command_control_channel']['src'], - 'dst': monkey['command_control_channel']['dst']} - for monkey in monkeys if monkey['command_control_channel']] - if info: - status = ScanStatus.USED.value + info = [] + + if not T1041.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + monkeys = list(Monkey.objects()) + info = [{'src': monkey['command_control_channel']['src'], + 'dst': monkey['command_control_channel']['dst']} + for monkey in monkeys if monkey['command_control_channel']] + if info: + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value + data = T1041.get_base_data_by_status(status) data.update({'command_control_channel': info}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1059.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1059.py index 987c24d09..38d7bb1c3 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1059.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1059.py @@ -23,12 +23,16 @@ class T1059(AttackTechnique): @staticmethod def get_report_data(): - cmd_data = list(mongo.db.telemetry.aggregate(T1059.query)) - data = {'title': T1059.technique_title(), 'cmds': cmd_data} - if cmd_data: - status = ScanStatus.USED.value + if not T1059.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + cmd_data = list(mongo.db.telemetry.aggregate(T1059.query)) + data = {'title': T1059.technique_title(), 'cmds': cmd_data} + if cmd_data: + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value + data.update(T1059.get_message_and_status(status)) data.update(T1059.get_mitigation_by_status(status)) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1075.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1075.py index 56e5f1e82..82d297234 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1075.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1075.py @@ -31,14 +31,19 @@ class T1075(AttackTechnique): @staticmethod def get_report_data(): data = {'title': T1075.technique_title()} - successful_logins = list(mongo.db.telemetry.aggregate(T1075.query)) - data.update({'successful_logins': successful_logins}) - if successful_logins: - status = ScanStatus.USED.value - elif mongo.db.telemetry.count_documents(T1075.login_attempt_query): - status = ScanStatus.SCANNED.value + + if not T1075.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + successful_logins = list(mongo.db.telemetry.aggregate(T1075.query)) + data.update({'successful_logins': successful_logins}) + if successful_logins: + status = ScanStatus.USED.value + elif mongo.db.telemetry.count_documents(T1075.login_attempt_query): + status = ScanStatus.SCANNED.value + else: + status = ScanStatus.UNSCANNED.value + data.update(T1075.get_message_and_status(status)) data.update(T1075.get_mitigation_by_status(status)) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index 7e8801000..3b75dc10e 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -39,12 +39,17 @@ class T1082(AttackTechnique): @staticmethod def get_report_data(): data = {'title': T1082.technique_title()} - system_info = list(mongo.db.telemetry.aggregate(T1082.query)) - data.update({'system_info': system_info}) - if system_info: - status = ScanStatus.USED.value + + if not T1082.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + system_info = list(mongo.db.telemetry.aggregate(T1082.query)) + data.update({'system_info': system_info}) + if system_info: + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value + data.update(T1082.get_mitigation_by_status(status)) data.update(T1082.get_message_and_status(status)) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py index c40f2e0ca..8ad104cf9 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py @@ -25,12 +25,15 @@ class T1086(AttackTechnique): @staticmethod def get_report_data(): - cmd_data = list(mongo.db.telemetry.aggregate(T1086.query)) - data = {'title': T1086.technique_title(), 'cmds': cmd_data} - if cmd_data: - status = ScanStatus.USED.value + if not T1086.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + cmd_data = list(mongo.db.telemetry.aggregate(T1086.query)) + data = {'title': T1086.technique_title(), 'cmds': cmd_data} + if cmd_data: + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value data.update(T1086.get_mitigation_by_status(status)) data.update(T1086.get_message_and_status(status)) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1090.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1090.py index f0980637f..f2490e72e 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1090.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1090.py @@ -13,9 +13,15 @@ class T1090(AttackTechnique): @staticmethod def get_report_data(): - monkeys = Monkey.get_tunneled_monkeys() - monkeys = [monkey.get_network_info() for monkey in monkeys] - status = ScanStatus.USED.value if monkeys else ScanStatus.UNSCANNED.value + monkeys = [] + + if not T1090.is_enabled_in_config(): + status = ScanStatus.DISABLED.value + else: + monkeys = Monkey.get_tunneled_monkeys() + monkeys = [monkey.get_network_info() for monkey in monkeys] + status = ScanStatus.USED.value if monkeys else ScanStatus.UNSCANNED.value + data = T1090.get_base_data_by_status(status) data.update({'proxies': monkeys}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py index 63ba68d6f..39eab28e6 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1110.py @@ -26,21 +26,27 @@ class T1110(AttackTechnique): @staticmethod def get_report_data(): - attempts = list(mongo.db.telemetry.aggregate(T1110.query)) - succeeded = False + attempts = [] - for result in attempts: - result['successful_creds'] = [] - for attempt in result['attempts']: - succeeded = True - result['successful_creds'].append(parse_creds(attempt)) - - if succeeded: - status = ScanStatus.USED.value - elif attempts: - status = ScanStatus.SCANNED.value + if not T1110.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + attempts = list(mongo.db.telemetry.aggregate(T1110.query)) + succeeded = False + + for result in attempts: + result['successful_creds'] = [] + for attempt in result['attempts']: + succeeded = True + result['successful_creds'].append(parse_creds(attempt)) + + if succeeded: + status = ScanStatus.USED.value + elif attempts: + status = ScanStatus.SCANNED.value + else: + status = ScanStatus.UNSCANNED.value + data = T1110.get_base_data_by_status(status) # Remove data with no successful brute force attempts attempts = [attempt for attempt in attempts if attempt['attempts']] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1145.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1145.py index 736192b1f..1089e1027 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1145.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1145.py @@ -20,12 +20,17 @@ class T1145(AttackTechnique): @staticmethod def get_report_data(): - ssh_info = list(mongo.db.telemetry.aggregate(T1145.query)) + ssh_info = [] - if ssh_info: - status = ScanStatus.USED.value + if not T1145.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + ssh_info = list(mongo.db.telemetry.aggregate(T1145.query)) + if ssh_info: + status = ScanStatus.USED.value + else: + status = ScanStatus.UNSCANNED.value + data = T1145.get_base_data_by_status(status) data.update({'ssh_info': ssh_info}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1188.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1188.py index 09e0edcdf..269fa4148 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1188.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1188.py @@ -13,19 +13,25 @@ class T1188(AttackTechnique): @staticmethod def get_report_data(): - monkeys = Monkey.get_tunneled_monkeys() hops = [] - for monkey in monkeys: - proxy_count = 0 - proxy = initial = monkey - while proxy.tunnel: - proxy_count += 1 - proxy = proxy.tunnel - if proxy_count > 1: - hops.append({'from': initial.get_network_info(), - 'to': proxy.get_network_info(), - 'count': proxy_count}) - status = ScanStatus.USED.value if hops else ScanStatus.UNSCANNED.value + + if not T1188.is_enabled_in_config(): + status = ScanStatus.DISABLED.value + else: + monkeys = Monkey.get_tunneled_monkeys() + hops = [] + for monkey in monkeys: + proxy_count = 0 + proxy = initial = monkey + while proxy.tunnel: + proxy_count += 1 + proxy = proxy.tunnel + if proxy_count > 1: + hops.append({'from': initial.get_network_info(), + 'to': proxy.get_network_info(), + 'count': proxy_count}) + status = ScanStatus.USED.value if hops else ScanStatus.UNSCANNED.value + data = T1188.get_base_data_by_status(status) data.update({'hops': hops}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py index 8fe86ed61..2df22c8ef 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py @@ -13,15 +13,22 @@ class T1210(AttackTechnique): @staticmethod def get_report_data(): + scanned_services = [] + exploited_services = [] data = {'title': T1210.technique_title()} - scanned_services = T1210.get_scanned_services() - exploited_services = T1210.get_exploited_services() - if exploited_services: - status = ScanStatus.USED.value - elif scanned_services: - status = ScanStatus.SCANNED.value + + if not T1210.is_enabled_in_config(): + status = ScanStatus.DISABLED.value else: - status = ScanStatus.UNSCANNED.value + scanned_services = T1210.get_scanned_services() + exploited_services = T1210.get_exploited_services() + if exploited_services: + status = ScanStatus.USED.value + elif scanned_services: + status = ScanStatus.SCANNED.value + else: + status = ScanStatus.UNSCANNED.value + data.update(T1210.get_message_and_status(status)) data.update(T1210.get_mitigation_by_status(status)) data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services}) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py index 3cc79ae17..c380269f5 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py @@ -63,7 +63,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): Gets the status of a certain attack technique. :return: ScanStatus numeric value """ - if cls._is_disabled_in_config(): + if not cls.is_enabled_in_config(): return ScanStatus.DISABLED.value elif mongo.db.telemetry.find_one({'telem_category': 'attack', 'data.status': ScanStatus.USED.value, @@ -83,7 +83,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): :param status: Enum from common/attack_utils.py integer value :return: Dict with message and status """ - status = cls._check_status(status) return {'message': cls.get_message_by_status(status), 'status': status} @classmethod @@ -93,7 +92,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): :param status: Enum from common/attack_utils.py integer value :return: message string """ - status = cls._check_status(status) if status == ScanStatus.DISABLED.value: return disabled_msg if status == ScanStatus.UNSCANNED.value: @@ -127,7 +125,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): @classmethod def get_base_data_by_status(cls, status): - status = cls._check_status(status) data = cls.get_message_and_status(status) data.update({'title': cls.technique_title()}) data.update(cls.get_mitigation_by_status(status)) @@ -135,7 +132,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): @classmethod def get_mitigation_by_status(cls, status: ScanStatus) -> dict: - status = cls._check_status(status) if status == ScanStatus.USED.value: mitigation_document = AttackMitigations.get_mitigation_by_technique_id(str(cls.tech_id)) return {'mitigations': mitigation_document.to_mongo().to_dict()['mitigations']} @@ -143,11 +139,5 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): return {} @classmethod - def _check_status(cls, status): - if status == ScanStatus.UNSCANNED.value and not cls._is_enabled_in_config(): - return ScanStatus.DISABLED.value - return status - - @classmethod - def _is_disabled_in_config(cls): - return not AttackConfig.get_technique_values()[cls.tech_id] + def is_enabled_in_config(cls) -> bool: + return AttackConfig.get_technique_values()[cls.tech_id] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py index 393bbc9db..06c10a627 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py @@ -39,16 +39,19 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): :return: Technique's report data aggregated from the database """ data = {'title': cls.technique_title(), 'info': []} + info = [] - info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names))) - - status = ScanStatus.UNSCANNED.value - if info: - successful_PBAs = mongo.db.telemetry.count({ - '$or': [{'data.name': pba_name} for pba_name in cls.pba_names], - 'data.result.1': True - }) - status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value + if not cls.is_enabled_in_config(): + status = ScanStatus.DISABLED.value + else: + info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names))) + status = ScanStatus.UNSCANNED.value + if info: + successful_PBAs = mongo.db.telemetry.count({ + '$or': [{'data.name': pba_name} for pba_name in cls.pba_names], + 'data.result.1': True + }) + status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value data.update(cls.get_base_data_by_status(status)) data.update({'info': info})