Merge pull request #1522 from guardicore/update-t1086-reporting

Update T1086 (PowerShell) reporting to include PBA results

CHANGELOG.md

@@ -16,6 +16,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
   as backdoor user". #1410
 - Resetting login credentials also cleans the contents of the database. #1495
 - ATT&CK report messages (more accurate now). #1483
+- T1086 (PowerShell) now also reports if ps1 scripts were run by PBAs. #1513
 
 ### Removed
 - Internet access check on agent start. #1402

monkey/monkey_island/cc/services/attack/technique_reports/T1086.py

@@ -10,17 +10,18 @@ class T1086(AttackTechnique):
     scanned_msg = ""
     used_msg = "Monkey successfully ran PowerShell commands on exploited machines in the network."
 
-    query = [
+    query_for_exploits = [
         {
             "$match": {
                 "telem_category": "exploit",
                 "data.info.executed_cmds": {"$elemMatch": {"powershell": True}},
             }
         },
-        {"$project": {"machine": "$data.machine", "info": "$data.info"}},
+        {"$project": {"telem_category": 1, "machine": "$data.machine", "info": "$data.info"}},
         {
             "$project": {
                 "_id": 0,
+                "telem_category": 1,
                 "machine": 1,
                 "info.finished": 1,
                 "info.executed_cmds": {
@@ -35,11 +36,36 @@ class T1086(AttackTechnique):
         {"$group": {"_id": "$machine", "data": {"$push": "$$ROOT"}}},
     ]
 
+    query_for_pbas = [
+        {
+            "$match": {
+                "telem_category": "post_breach",
+                "$or": [
+                    {"data.command": {"$regex": r"\.ps1"}},
+                    {"data.command": {"$regex": "powershell"}},
+                    {"data.result": {"$regex": r"\.ps1"}},
+                ],
+            },
+        },
+        {
+            "$project": {
+                "_id": 0,
+                "telem_category": 1,
+                "machine.hostname": "$data.hostname",
+                "machine.ips": [{"$arrayElemAt": ["$data.ip", 0]}],
+                "info": "$data.result",
+            }
+        },
+    ]
+
     @staticmethod
     def get_report_data():
         @T1086.is_status_disabled
         def get_technique_status_and_data():
-            cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
+            exploit_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_exploits))
+            pba_cmd_data = list(mongo.db.telemetry.aggregate(T1086.query_for_pbas))
+            cmd_data = exploit_cmd_data + pba_cmd_data
+
             if cmd_data:
                 status = ScanStatus.USED.value
             else:

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js

@@ -1,6 +1,6 @@
 import React from 'react';
 import ReactTable from 'react-table';
-import {renderMachine, ScanStatus} from './Helpers'
+import {renderMachine, renderMachineFromSystemData, ScanStatus} from './Helpers'
 import MitigationsComponent from './MitigationsComponent';
 
 
@@ -10,9 +10,9 @@ class T1086 extends React.Component {
     super(props);
   }
 
-  static getPowershellColumns() {
+  static getPowershellColumnsForExploits() {
     return ([{
-      Header: 'Example Powershell commands used',
+      Header: 'Exploiters',
       columns: [
         {
           Header: 'Machine',
@@ -32,18 +32,72 @@ class T1086 extends React.Component {
     }])
   }
 
+  static getPowershellColumnsForPBAs() {
+    return ([{
+      Header: 'Post-Breach Actions',
+      columns: [
+        {
+          Header: 'Machine',
+          id: 'machine',
+          accessor: x => renderMachineFromSystemData(x.machine),
+          style: {'whiteSpace': 'unset'}
+        },
+        {
+          Header: 'Information',
+          id: 'information',
+          accessor: x => x.info,
+          style: {'whiteSpace': 'unset'}
+        }
+      ]
+    }])
+  }
+
+  segregatePowershellDataPerCategory() {
+    let exploitCategoryName = 'exploit';
+    let pbaCategoryName = 'post_breach';
+
+    let dataFromExploits = [];
+    let dataFromPBAs = [];
+
+    for (let rowIdx in this.props.data.cmds) {
+      let row = this.props.data.cmds[rowIdx];
+      if (row.telem_category == exploitCategoryName) {
+        dataFromExploits.push(row);
+      }
+      else if (row.telem_category == pbaCategoryName) {
+        dataFromPBAs.push(row);
+      }
+    }
+
+    return [dataFromExploits, dataFromPBAs]
+  }
+
   render() {
+    let segregatedData = this.segregatePowershellDataPerCategory();
+    let dataFromExploits = segregatedData[0];
+    let dataFromPBAs = segregatedData[1];
+
     return (
       <div>
         <div>{this.props.data.message_html}</div>
         <br/>
         {this.props.data.status === ScanStatus.USED ?
+          <div>
           <ReactTable
-            columns={T1086.getPowershellColumns()}
+            columns={T1086.getPowershellColumnsForExploits()}
-            data={this.props.data.cmds}
+            data={dataFromExploits}
             showPagination={false}
-            defaultPageSize={this.props.data.cmds.length}
+            defaultPageSize={dataFromExploits.length}
-          /> : ''}
+          />
+          <br/>
+          <br/>
+          <ReactTable
+            columns={T1086.getPowershellColumnsForPBAs()}
+            data={dataFromPBAs}
+            showPagination={false}
+            defaultPageSize={dataFromPBAs.length}
+          />
+          </div> : ''}
         <MitigationsComponent mitigations={this.props.data.mitigations}/>
       </div>
     );