Implemented data collection from local system attack technique
This commit is contained in:
parent
69de938a37
commit
ab461ef8d3
|
@ -3,6 +3,9 @@ import pwd
|
|||
import os
|
||||
import glob
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
|
||||
|
||||
__author__ = 'VakarisZ'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
@ -71,6 +74,7 @@ class SSHCollector(object):
|
|||
if private_key.find('ENCRYPTED') == -1:
|
||||
info['private_key'] = private_key
|
||||
LOG.info("Found private key in %s" % private)
|
||||
T1005Telem(ScanStatus.USED, 'SSH key', "Path: %s" % private).send()
|
||||
else:
|
||||
continue
|
||||
except (IOError, OSError):
|
||||
|
|
|
@ -5,6 +5,9 @@ import json
|
|||
import glob
|
||||
import subprocess
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
|
||||
|
||||
__author__ = 'danielg'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
@ -54,6 +57,7 @@ class AzureCollector(object):
|
|||
decrypt_proc = subprocess.Popen(decrypt_command.split(), stdout=subprocess.PIPE, stdin=subprocess.PIPE)
|
||||
decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
|
||||
decrypt_data = json.loads(decrypt_raw)
|
||||
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
|
||||
return decrypt_data['username'], decrypt_data['password']
|
||||
except IOError:
|
||||
LOG.warning("Failed to parse VM Access plugin file. Could not open file")
|
||||
|
@ -92,6 +96,7 @@ class AzureCollector(object):
|
|||
# this is disgusting but the alternative is writing the file to disk...
|
||||
password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1]
|
||||
password = json.loads(password_raw)["Password"]
|
||||
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
|
||||
return username, password
|
||||
except IOError:
|
||||
LOG.warning("Failed to parse VM Access plugin file. Could not open file")
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
from infection_monkey.telemetry.attack.attack_telem import AttackTelem
|
||||
|
||||
|
||||
class T1005Telem(AttackTelem):
|
||||
def __init__(self, status, _type, info=""):
|
||||
"""
|
||||
T1005 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param _type: Type of data collected
|
||||
:param info: Additional info about data
|
||||
"""
|
||||
super(T1005Telem, self).__init__('T1005', status)
|
||||
self._type = _type
|
||||
self.info = info
|
||||
|
||||
def get_data(self):
|
||||
data = super(T1005Telem, self).get_data()
|
||||
data.update({
|
||||
'type': self._type,
|
||||
'info': self.info
|
||||
})
|
||||
return data
|
|
@ -3,7 +3,7 @@ import logging
|
|||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
@ -30,7 +30,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1188': T1188.T1188,
|
||||
'T1090': T1090.T1090,
|
||||
'T1041': T1041.T1041,
|
||||
'T1222': T1222.T1222}
|
||||
'T1222': T1222.T1222,
|
||||
'T1005': T1005.T1005}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
|
|
@ -182,6 +182,20 @@ SCHEMA = {
|
|||
}
|
||||
}
|
||||
},
|
||||
"collection": {
|
||||
"title": "Collection",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"T1005": {
|
||||
"title": "T1005 Data from local system",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"description": "Sensitive data can be collected from local system sources, such as the file system "
|
||||
"or databases of information residing on the system prior to Exfiltration."
|
||||
}
|
||||
}
|
||||
},
|
||||
"command_and_control": {
|
||||
"title": "Command and Control",
|
||||
"type": "object",
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1005(AttackTechnique):
|
||||
|
||||
tech_id = "T1005"
|
||||
unscanned_msg = "Monkey didn't gather any sensitive data from local system."
|
||||
scanned_msg = ""
|
||||
used_msg = "Monkey successfully gathered sensitive data from local system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'attack',
|
||||
'data.technique': tech_id}},
|
||||
{'$lookup': {'from': 'monkey',
|
||||
'localField': 'monkey_guid',
|
||||
'foreignField': 'guid',
|
||||
'as': 'monkey'}},
|
||||
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
|
||||
'status': '$data.status',
|
||||
'type': '$data.type',
|
||||
'info': '$data.info'}},
|
||||
{'$addFields': {'_id': 0,
|
||||
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
|
||||
'monkey': 0}},
|
||||
{'$group': {'_id': {'machine': '$machine', 'type': '$type', 'info': '$info'}}},
|
||||
{"$replaceRoot": {"newRoot": "$_id"}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1005.get_tech_base_data()
|
||||
data.update({'collected_data': list(mongo.db.telemetry.aggregate(T1005.query))})
|
||||
return data
|
|
@ -422,7 +422,7 @@ SCHEMA = {
|
|||
"title": "Collect system info",
|
||||
"type": "boolean",
|
||||
"default": True,
|
||||
"attack_techniques": ["T1082"],
|
||||
"attack_techniques": ["T1082", "T1005"],
|
||||
"description": "Determines whether to collect system info"
|
||||
},
|
||||
"should_use_mimikatz": {
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import {renderMachineFromSystemData, scanStatus} from "./Helpers";
|
||||
|
||||
class T1005 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getDataColumns() {
|
||||
return ([{
|
||||
Header: "Data gathered from local systems",
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x.machine), style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Type', id: 'type', accessor: x => x.type, style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Info', id: 'info', accessor: x => x.info, style: { 'whiteSpace': 'unset' }},
|
||||
]}])};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1005.getDataColumns()}
|
||||
data={this.props.data.collected_data}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.collected_data.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1005;
|
|
@ -25,6 +25,7 @@ import T1188 from "../attack/techniques/T1188";
|
|||
import T1090 from "../attack/techniques/T1090";
|
||||
import T1041 from "../attack/techniques/T1041";
|
||||
import T1222 from "../attack/techniques/T1222";
|
||||
import T1005 from "../attack/techniques/T1005";
|
||||
|
||||
const tech_components = {
|
||||
'T1210': T1210,
|
||||
|
@ -45,7 +46,8 @@ const tech_components = {
|
|||
'T1188': T1188,
|
||||
'T1090': T1090,
|
||||
'T1041': T1041,
|
||||
'T1222': T1222
|
||||
'T1222': T1222,
|
||||
'T1005': T1005
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
|
Loading…
Reference in New Issue