p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Exfiltration trough command and control channel attack technique implemented

This commit is contained in:
VakarisZ 2019-07-16 17:33:03 +03:00
parent 1d4df39aa9
commit acf309a163
10 changed files with 99 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
monkey/monkey_island/cc/models/__init__.py
View File

@ -16,4 +16,5 @@ from config import Config
from creds import Creds
from monkey_ttl import MonkeyTtl
from pba_results import PbaResults
from c2_info import C2Info
from monkey import Monkey

6
monkey/monkey_island/cc/models/c2_info.py Normal file
View File

@ -0,0 +1,6 @@
from mongoengine import EmbeddedDocument, StringField
class C2Info(EmbeddedDocument):
src = StringField()
dst = StringField()

1
monkey/monkey_island/cc/models/monkey.py
View File

@ -33,6 +33,7 @@ class Monkey(Document):
pba_results = ListField()
ttl_ref = ReferenceField(MonkeyTtl)
tunnel = ReferenceField("self")
c2_info = EmbeddedDocumentField('C2Info')
# LOGIC
@staticmethod

2
monkey/monkey_island/cc/resources/telemetry.py
View File

@ -48,6 +48,7 @@ class Telemetry(flask_restful.Resource):
def post(self):
telemetry_json = json.loads(request.data)
telemetry_json['timestamp'] = datetime.now()
telemetry_json['c2_channel'] = {'src': request.remote_addr, 'dst': request.host}
monkey = NodeService.get_monkey_by_guid(telemetry_json['monkey_guid'])
@ -110,6 +111,7 @@ class Telemetry(flask_restful.Resource):
@staticmethod
def process_state_telemetry(telemetry_json):
monkey = NodeService.get_monkey_by_guid(telemetry_json['monkey_guid'])
NodeService.add_communication_info(monkey, telemetry_json['c2_channel'])
if telemetry_json['data']['done']:
NodeService.set_monkey_dead(monkey, True)
else:

5
monkey/monkey_island/cc/services/attack/attack_report.py
View File

@ -2,7 +2,7 @@ import logging
from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090
from monkey_island.cc.services.attack.technique_reports import T1090, T1041
from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo
@ -27,7 +27,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1106': T1106.T1106,
'T1107': T1107.T1107,
'T1188': T1188.T1188,
'T1090': T1090.T1090}
'T1090': T1090.T1090,
'T1041': T1041.T1041}
REPORT_NAME = 'new_report'

13
monkey/monkey_island/cc/services/attack/attack_schema.py
View File

@ -205,5 +205,18 @@ SCHEMA = {
}
}
},
"exfiltration": {
"title": "Exfiltration",
"type": "object",
"properties": {
"T1041": {
"title": "T1041 Exfiltration Over Command and Control Channel",
"type": "bool",
"value": True,
"necessary": True,
"description": "Data exfiltration is performed over the Command and Control channel."
}
}
}
}
}

27
monkey/monkey_island/cc/services/attack/technique_reports/T1041.py Normal file
View File

@ -0,0 +1,27 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.models.monkey import Monkey
from common.utils.attack_utils import ScanStatus
__author__ = "VakarisZ"
class T1041(AttackTechnique):
tech_id = "T1041"
unscanned_msg = "Monkey didn't exfiltrate any info trough command and control channel."
scanned_msg = ""
used_msg = "Monkey exfiltrated info trough command and control channel."
@staticmethod
def get_report_data():
monkeys = list(Monkey.objects())
info = [{'src': monkey['c2_info']['src'],
'dst': monkey['c2_info']['dst']}
for monkey in monkeys if monkey['c2_info']]
if info:
status = ScanStatus.USED.value
else:
status = ScanStatus.UNSCANNED.value
data = T1041.get_base_data_by_status(status)
data.update({'c2_info': info})
return data

6
monkey/monkey_island/cc/services/node.py
View File

@ -247,6 +247,12 @@ class NodeService:
{'$set': props_to_set},
upsert=False)
@staticmethod
def add_communication_info(monkey, info):
mongo.db.monkey.update({"guid": monkey["guid"]},
{"$set": {'c2_info': info}},
upsert=False)
@staticmethod
def get_monkey_island_monkey():
ip_addresses = local_ip_addresses()

37
monkey/monkey_island/cc/ui/src/components/attack/techniques/T1041.js Normal file
View File

@ -0,0 +1,37 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import {scanStatus} from "./Helpers";
class T1041 extends React.Component {
constructor(props) {
super(props);
}
static getC2Columns() {
return ([{
Header: "Data exfiltration channels",
columns: [
{Header: 'Source', id: 'src', accessor: x => x.src, style: { 'whiteSpace': 'unset' }},
{Header: 'Destination', id: 'dst', accessor: x => x.dst, style: { 'whiteSpace': 'unset' }}
]}])};
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === scanStatus.USED ?
<ReactTable
columns={T1041.getC2Columns()}
data={this.props.data.c2_info}
showPagination={false}
defaultPageSize={this.props.data.c2_info.length}
/> : ""}
</div>
);
}
}
export default T1041;

4
monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
View File

@ -23,6 +23,7 @@ import T1129 from "../attack/techniques/T1129";
import T1106 from "../attack/techniques/T1106";
import T1188 from "../attack/techniques/T1188";
import T1090 from "../attack/techniques/T1090";
import T1041 from "../attack/techniques/T1041";
const tech_components = {
'T1210': T1210,
@ -41,7 +42,8 @@ const tech_components = {
'T1106': T1106,
'T1107': T1107,
'T1188': T1188,
'T1090': T1090
'T1090': T1090,
'T1041': T1041
};
const classNames = require('classnames');