Proxy attack techniques implemented

This commit is contained in:
VakarisZ 2019-07-12 11:12:34 +03:00
parent 35a288bb6a
commit a9b62fdd75
4 changed files with 92 additions and 2 deletions

View File

@ -1,7 +1,7 @@
import logging
from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo
@ -24,7 +24,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1035': T1035.T1035,
'T1129': T1129.T1129,
'T1106': T1106.T1106,
'T1107': T1107.T1107}
'T1107': T1107.T1107,
'T1188': T1188.T1188}
REPORT_NAME = 'new_report'

View File

@ -186,6 +186,22 @@ SCHEMA = {
"necessary": True,
"description": "Adversaries may conduct C2 communications over a non-standard "
"port to bypass proxies and firewalls that have been improperly configured."
},
"T1090": {
"title": "T1090 Connection proxy",
"type": "bool",
"value": True,
"necessary": True,
"description": "A connection proxy is used to direct network traffic between systems "
"or act as an intermediary for network communications."
},
"T1188": {
"title": "T1188 Multi-hop proxy",
"type": "bool",
"value": True,
"necessary": True,
"description": "To disguise the source of malicious traffic, "
"adversaries may chain together multiple proxies."
}
}
},

View File

@ -0,0 +1,34 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
__author__ = "VakarisZ"
class T1090(AttackTechnique):
tech_id = "T1090"
unscanned_msg = "Monkey didn't use connection proxy."
scanned_msg = ""
used_msg = "Monkey used connection proxy."
query = [{'$match': {'telem_category': 'exploit',
'data.info.executed_cmds': {'$exists': True, '$ne': []}}},
{'$unwind': '$data.info.executed_cmds'},
{'$sort': {'data.info.executed_cmds.powershell': 1}},
{'$project': {'_id': 0,
'machine': '$data.machine',
'info': '$data.info'}},
{'$group': {'_id': '$machine', 'data': {'$push': '$$ROOT'}}},
{'$project': {'_id': 0, 'data': {'$arrayElemAt': ['$data', 0]}}}]
@staticmethod
def get_report_data():
cmd_data = list(mongo.db.telemetry.aggregate(T1090.query))
data = {'title': T1090.technique_title(), 'cmds': cmd_data}
if cmd_data:
status = ScanStatus.USED.value
else:
status = ScanStatus.UNSCANNED.value
data.update(T1090.get_message_and_status(status))
return data

View File

@ -0,0 +1,39 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.models.monkey import Monkey
__author__ = "VakarisZ"
class T1188(AttackTechnique):
tech_id = "T1188"
unscanned_msg = "Monkey didn't use multi-hop proxy."
scanned_msg = ""
used_msg = "Monkey used multi-hop proxy."
query = [{'$match': {'telem_category': 'exploit',
'data.info.executed_cmds': {'$exists': True, '$ne': []}}},
{'$unwind': '$data.info.executed_cmds'},
{'$sort': {'data.info.executed_cmds.powershell': 1}},
{'$project': {'_id': 0,
'machine': '$data.machine',
'info': '$data.info'}},
{'$group': {'_id': '$machine', 'data': {'$push': '$$ROOT'}}},
{'$project': {'_id': 0, 'data': {'$arrayElemAt': ['$data', 0]}}}]
@staticmethod
def get_report_data():
monkeys = T1188.get_tunneled_monkeys()
for monkey in monkeys:
proxy_chain = 0
proxy = Monkey.objects(id=monkey.tunnel)
while proxy:
proxy_chain += 1
proxy = Monkey.objects(id=monkey.tunnel)
data = {'title': T1188.technique_title()}
return data
@staticmethod
def get_tunneled_monkeys():
return Monkey.objects(tunnel__exists=True)