Merge pull request #1754 from guardicore/1695-attack-changes
1695 attack changes
This commit is contained in:
commit
c33318646a
|
@ -47,6 +47,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Zero Trust integration with ScoutSuite. #1669
|
||||
- ShellShock exploiter. #1733
|
||||
- ElasticGroovy exploiter. #1732
|
||||
- T1082 attack technique report. #1754
|
||||
|
||||
### Fixed
|
||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||
|
|
|
@ -16,7 +16,6 @@ from monkey_island.cc.services.attack.technique_reports import (
|
|||
T1064,
|
||||
T1065,
|
||||
T1075,
|
||||
T1082,
|
||||
T1086,
|
||||
T1087,
|
||||
T1090,
|
||||
|
@ -54,7 +53,6 @@ TECHNIQUES = {
|
|||
"T1003": T1003.T1003,
|
||||
"T1059": T1059.T1059,
|
||||
"T1086": T1086.T1086,
|
||||
"T1082": T1082.T1082,
|
||||
"T1145": T1145.T1145,
|
||||
"T1065": T1065.T1065,
|
||||
"T1105": T1105.T1105,
|
||||
|
|
|
@ -249,21 +249,11 @@ SCHEMA = {
|
|||
"hostname, or other logical identifier on a network for lateral"
|
||||
" movement.",
|
||||
},
|
||||
"T1082": {
|
||||
"title": "System information discovery",
|
||||
"type": "bool",
|
||||
"link": "https://attack.mitre.org/techniques/T1082",
|
||||
"depends_on": ["T1016", "T1005"],
|
||||
"description": "An adversary may attempt to get detailed information about the "
|
||||
"operating system and hardware, including version, patches, "
|
||||
"hotfixes, "
|
||||
"service packs, and architecture.",
|
||||
},
|
||||
"T1016": {
|
||||
"title": "System network configuration discovery",
|
||||
"type": "bool",
|
||||
"link": "https://attack.mitre.org/techniques/T1016",
|
||||
"depends_on": ["T1005", "T1082"],
|
||||
"depends_on": ["T1005"],
|
||||
"description": "Adversaries will likely look for details about the network "
|
||||
"configuration "
|
||||
"and settings of systems they access or through information "
|
||||
|
@ -322,7 +312,7 @@ SCHEMA = {
|
|||
"title": "Data from local system",
|
||||
"type": "bool",
|
||||
"link": "https://attack.mitre.org/techniques/T1005",
|
||||
"depends_on": ["T1016", "T1082"],
|
||||
"depends_on": ["T1016"],
|
||||
"description": "Sensitive data can be collected from local system sources, "
|
||||
"such as the file system "
|
||||
"or databases of information residing on the system prior to "
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
|
||||
|
@ -10,35 +10,12 @@ class T1016(AttackTechnique):
|
|||
scanned_msg = ""
|
||||
used_msg = "Monkey gathered network configurations on systems in the network."
|
||||
|
||||
query = [
|
||||
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
||||
{
|
||||
"$project": {
|
||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
||||
"networks": "$data.network_info.networks",
|
||||
}
|
||||
},
|
||||
{
|
||||
"$addFields": {
|
||||
"_id": 0,
|
||||
"networks": 0,
|
||||
"info": [
|
||||
{
|
||||
"used": {
|
||||
"$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}]
|
||||
},
|
||||
"name": {"$literal": "Network interface info"},
|
||||
},
|
||||
],
|
||||
}
|
||||
},
|
||||
]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
def get_technique_status_and_data():
|
||||
network_info = list(mongo.db.telemetry.aggregate(T1016.query))
|
||||
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
|
||||
network_info = T1016._get_network_info()
|
||||
used_info = [entry for entry in network_info if entry["info"][0]["used"]]
|
||||
status = ScanStatus.USED.value if used_info else ScanStatus.UNSCANNED.value
|
||||
return (status, network_info)
|
||||
|
||||
status, network_info = get_technique_status_and_data()
|
||||
|
@ -46,3 +23,14 @@ class T1016(AttackTechnique):
|
|||
data = T1016.get_base_data_by_status(status)
|
||||
data.update({"network_info": network_info})
|
||||
return data
|
||||
|
||||
@staticmethod
|
||||
def _get_network_info():
|
||||
network_info = []
|
||||
for monkey in Monkey.objects():
|
||||
entry = {"machine": {"hostname": monkey.hostname, "ips": monkey.ip_addresses}}
|
||||
info = [{"used": bool(monkey.networks), "name": "Network interface info"}]
|
||||
entry["info"] = info
|
||||
network_info.append(entry)
|
||||
|
||||
return network_info
|
||||
|
|
|
@ -1,120 +0,0 @@
|
|||
from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
|
||||
class T1082(AttackTechnique):
|
||||
tech_id = "T1082"
|
||||
relevant_systems = ["Linux", "Windows"]
|
||||
unscanned_msg = "Monkey didn't gather any system info on the network."
|
||||
scanned_msg = "Monkey tried gathering system info on the network but failed."
|
||||
used_msg = "Monkey gathered system info from machines in the network."
|
||||
# TODO: Remove the second item from this list after the TODO in `_run_pba()` in
|
||||
# `automated_master.py` is resolved.
|
||||
pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"]
|
||||
|
||||
query_for_system_info_collectors = [
|
||||
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
||||
{
|
||||
"$project": {
|
||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
||||
"aws": "$data.aws",
|
||||
"ssh_info": "$data.ssh_info",
|
||||
"azure_info": "$data.Azure",
|
||||
}
|
||||
},
|
||||
{
|
||||
"$project": {
|
||||
"_id": 0,
|
||||
"machine": 1,
|
||||
"collections": [
|
||||
{
|
||||
"used": {"$and": [{"$gt": ["$aws", {}]}]},
|
||||
"name": {"$literal": "Amazon Web Services info"},
|
||||
},
|
||||
{
|
||||
"used": {
|
||||
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
|
||||
},
|
||||
"name": {"$literal": "SSH info"},
|
||||
},
|
||||
{
|
||||
"used": {
|
||||
"$and": [
|
||||
{"$ifNull": ["$azure_info", False]},
|
||||
{"$ne": ["$azure_info", []]},
|
||||
]
|
||||
},
|
||||
"name": {"$literal": "Azure info"},
|
||||
},
|
||||
{"used": True, "name": {"$literal": "Network interfaces"}},
|
||||
],
|
||||
}
|
||||
},
|
||||
{"$group": {"_id": {"machine": "$machine", "collections": "$collections"}}},
|
||||
{"$replaceRoot": {"newRoot": "$_id"}},
|
||||
]
|
||||
|
||||
query_for_running_processes_list = [
|
||||
{
|
||||
"$match": {
|
||||
"$and": [
|
||||
{"telem_category": "post_breach"},
|
||||
{"$or": [{"data.name": pba_name} for pba_name in pba_names]},
|
||||
{"$or": [{"data.os": os} for os in relevant_systems]},
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"$project": {
|
||||
"_id": 0,
|
||||
"machine": {
|
||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
||||
},
|
||||
"collections": [
|
||||
{
|
||||
"used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]},
|
||||
"name": {"$literal": "List of running processes"},
|
||||
}
|
||||
],
|
||||
}
|
||||
},
|
||||
]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
def get_technique_status_and_data():
|
||||
system_info_data = list(
|
||||
mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors)
|
||||
)
|
||||
system_info_status = (
|
||||
ScanStatus.USED.value if system_info_data else ScanStatus.UNSCANNED.value
|
||||
)
|
||||
|
||||
pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_running_processes_list))
|
||||
successful_PBAs = mongo.db.telemetry.count(
|
||||
{
|
||||
"$and": [
|
||||
{"$or": [{"data.name": pba_name} for pba_name in T1082.pba_names]},
|
||||
{"$or": [{"data.os": os} for os in T1082.relevant_systems]},
|
||||
{"data.result.1": True},
|
||||
]
|
||||
}
|
||||
)
|
||||
pba_status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
||||
technique_data = system_info_data + pba_data
|
||||
# ScanStatus values are in order of precedence; used > scanned > unscanned
|
||||
technique_status = max(system_info_status, pba_status)
|
||||
|
||||
return (technique_status, technique_data)
|
||||
|
||||
status, technique_data = get_technique_status_and_data()
|
||||
data = {"title": T1082.technique_title()}
|
||||
data.update({"technique_data": technique_data})
|
||||
|
||||
data.update(T1082.get_mitigation_by_status(status))
|
||||
data.update(T1082.get_message_and_status(status))
|
||||
return data
|
|
@ -100,7 +100,6 @@ POST_BREACH_ACTIONS = {
|
|||
"title": "Process List Collector",
|
||||
"safe": True,
|
||||
"info": "Collects a list of running processes on the machine.",
|
||||
"attack_techniques": ["T1082"],
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
import React from 'react';
|
||||
import ReactTable from 'react-table';
|
||||
import {renderMachineFromSystemData, renderUsageFields, ScanStatus} from './Helpers'
|
||||
import MitigationsComponent from './MitigationsComponent';
|
||||
|
||||
|
||||
class T1082 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getSystemInfoColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{
|
||||
Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: {'whiteSpace': 'unset'}
|
||||
},
|
||||
{
|
||||
Header: 'Gathered info',
|
||||
id: 'info',
|
||||
accessor: x => renderUsageFields(x.collections),
|
||||
style: {'whiteSpace': 'unset'}
|
||||
}
|
||||
]
|
||||
}])
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message_html}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1082.getSystemInfoColumns()}
|
||||
data={this.props.data.technique_data}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.technique_data.length}
|
||||
/> : ''}
|
||||
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1082;
|
Loading…
Reference in New Issue