Implemented data collection from local system attack technique

This commit is contained in:
VakarisZ 2019-07-18 09:47:31 +03:00
parent 69de938a37
commit ab461ef8d3
9 changed files with 124 additions and 4 deletions

View File

@ -3,6 +3,9 @@ import pwd
import os import os
import glob import glob
from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
__author__ = 'VakarisZ' __author__ = 'VakarisZ'
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -71,6 +74,7 @@ class SSHCollector(object):
if private_key.find('ENCRYPTED') == -1: if private_key.find('ENCRYPTED') == -1:
info['private_key'] = private_key info['private_key'] = private_key
LOG.info("Found private key in %s" % private) LOG.info("Found private key in %s" % private)
T1005Telem(ScanStatus.USED, 'SSH key', "Path: %s" % private).send()
else: else:
continue continue
except (IOError, OSError): except (IOError, OSError):

View File

@ -5,6 +5,9 @@ import json
import glob import glob
import subprocess import subprocess
from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
__author__ = 'danielg' __author__ = 'danielg'
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -54,6 +57,7 @@ class AzureCollector(object):
decrypt_proc = subprocess.Popen(decrypt_command.split(), stdout=subprocess.PIPE, stdin=subprocess.PIPE) decrypt_proc = subprocess.Popen(decrypt_command.split(), stdout=subprocess.PIPE, stdin=subprocess.PIPE)
decrypt_raw = decrypt_proc.communicate(input=b64_result)[0] decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
decrypt_data = json.loads(decrypt_raw) decrypt_data = json.loads(decrypt_raw)
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
return decrypt_data['username'], decrypt_data['password'] return decrypt_data['username'], decrypt_data['password']
except IOError: except IOError:
LOG.warning("Failed to parse VM Access plugin file. Could not open file") LOG.warning("Failed to parse VM Access plugin file. Could not open file")
@ -92,6 +96,7 @@ class AzureCollector(object):
# this is disgusting but the alternative is writing the file to disk... # this is disgusting but the alternative is writing the file to disk...
password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1] password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1]
password = json.loads(password_raw)["Password"] password = json.loads(password_raw)["Password"]
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
return username, password return username, password
except IOError: except IOError:
LOG.warning("Failed to parse VM Access plugin file. Could not open file") LOG.warning("Failed to parse VM Access plugin file. Could not open file")

View File

@ -0,0 +1,22 @@
from infection_monkey.telemetry.attack.attack_telem import AttackTelem
class T1005Telem(AttackTelem):
def __init__(self, status, _type, info=""):
"""
T1005 telemetry.
:param status: ScanStatus of technique
:param _type: Type of data collected
:param info: Additional info about data
"""
super(T1005Telem, self).__init__('T1005', status)
self._type = _type
self.info = info
def get_data(self):
data = super(T1005Telem, self).get_data()
data.update({
'type': self._type,
'info': self.info
})
return data

View File

@ -3,7 +3,7 @@ import logging
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222 from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
@ -30,7 +30,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1188': T1188.T1188, 'T1188': T1188.T1188,
'T1090': T1090.T1090, 'T1090': T1090.T1090,
'T1041': T1041.T1041, 'T1041': T1041.T1041,
'T1222': T1222.T1222} 'T1222': T1222.T1222,
'T1005': T1005.T1005}
REPORT_NAME = 'new_report' REPORT_NAME = 'new_report'

View File

@ -182,6 +182,20 @@ SCHEMA = {
} }
} }
}, },
"collection": {
"title": "Collection",
"type": "object",
"properties": {
"T1005": {
"title": "T1005 Data from local system",
"type": "bool",
"value": True,
"necessary": False,
"description": "Sensitive data can be collected from local system sources, such as the file system "
"or databases of information residing on the system prior to Exfiltration."
}
}
},
"command_and_control": { "command_and_control": {
"title": "Command and Control", "title": "Command and Control",
"type": "object", "type": "object",

View File

@ -0,0 +1,34 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.database import mongo
__author__ = "VakarisZ"
class T1005(AttackTechnique):
tech_id = "T1005"
unscanned_msg = "Monkey didn't gather any sensitive data from local system."
scanned_msg = ""
used_msg = "Monkey successfully gathered sensitive data from local system."
query = [{'$match': {'telem_category': 'attack',
'data.technique': tech_id}},
{'$lookup': {'from': 'monkey',
'localField': 'monkey_guid',
'foreignField': 'guid',
'as': 'monkey'}},
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
'status': '$data.status',
'type': '$data.type',
'info': '$data.info'}},
{'$addFields': {'_id': 0,
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
'monkey': 0}},
{'$group': {'_id': {'machine': '$machine', 'type': '$type', 'info': '$info'}}},
{"$replaceRoot": {"newRoot": "$_id"}}]
@staticmethod
def get_report_data():
data = T1005.get_tech_base_data()
data.update({'collected_data': list(mongo.db.telemetry.aggregate(T1005.query))})
return data

View File

@ -422,7 +422,7 @@ SCHEMA = {
"title": "Collect system info", "title": "Collect system info",
"type": "boolean", "type": "boolean",
"default": True, "default": True,
"attack_techniques": ["T1082"], "attack_techniques": ["T1082", "T1005"],
"description": "Determines whether to collect system info" "description": "Determines whether to collect system info"
}, },
"should_use_mimikatz": { "should_use_mimikatz": {

View File

@ -0,0 +1,38 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import {renderMachineFromSystemData, scanStatus} from "./Helpers";
class T1005 extends React.Component {
constructor(props) {
super(props);
}
static getDataColumns() {
return ([{
Header: "Data gathered from local systems",
columns: [
{Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x.machine), style: { 'whiteSpace': 'unset' }},
{Header: 'Type', id: 'type', accessor: x => x.type, style: { 'whiteSpace': 'unset' }},
{Header: 'Info', id: 'info', accessor: x => x.info, style: { 'whiteSpace': 'unset' }},
]}])};
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === scanStatus.USED ?
<ReactTable
columns={T1005.getDataColumns()}
data={this.props.data.collected_data}
showPagination={false}
defaultPageSize={this.props.data.collected_data.length}
/> : ""}
</div>
);
}
}
export default T1005;

View File

@ -25,6 +25,7 @@ import T1188 from "../attack/techniques/T1188";
import T1090 from "../attack/techniques/T1090"; import T1090 from "../attack/techniques/T1090";
import T1041 from "../attack/techniques/T1041"; import T1041 from "../attack/techniques/T1041";
import T1222 from "../attack/techniques/T1222"; import T1222 from "../attack/techniques/T1222";
import T1005 from "../attack/techniques/T1005";
const tech_components = { const tech_components = {
'T1210': T1210, 'T1210': T1210,
@ -45,7 +46,8 @@ const tech_components = {
'T1188': T1188, 'T1188': T1188,
'T1090': T1090, 'T1090': T1090,
'T1041': T1041, 'T1041': T1041,
'T1222': T1222 'T1222': T1222,
'T1005': T1005
}; };
const classNames = require('classnames'); const classNames = require('classnames');