Generate T1156 and T1504 reports via mongo query
This commit is contained in:
parent
a5fd87c2aa
commit
e19c3c20eb
|
@ -1,10 +1,8 @@
|
|||
from common.data.post_breach_consts import \
|
||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import (
|
||||
extract_shell_startup_files_modification_info,
|
||||
get_shell_startup_files_modification_status)
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
@ -20,18 +18,22 @@ class T1156(AttackTechnique):
|
|||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
||||
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
||||
'result': '$data.result'}}]
|
||||
'result': '$data.result'}},
|
||||
{'$unwind': '$result'},
|
||||
{'$match': {'$or': [{'result': {'$regex': '\.bash'}},
|
||||
{'result': {'$regex': '\.profile'}}]}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1156.technique_title(), 'info': []}
|
||||
|
||||
shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
|
||||
bash_startup_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
|
||||
|
||||
bash_startup_modification_info =\
|
||||
extract_shell_startup_files_modification_info(shell_startup_files_modification_info, [".bash", ".profile"])
|
||||
|
||||
status = get_shell_startup_files_modification_status(bash_startup_modification_info)
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if bash_startup_modification_info:
|
||||
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
'data.result.1': True})
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
||||
data.update(T1156.get_base_data_by_status(status))
|
||||
data.update({'info': bash_startup_modification_info})
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
from common.data.post_breach_consts import \
|
||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import (
|
||||
extract_shell_startup_files_modification_info,
|
||||
get_shell_startup_files_modification_status)
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
@ -20,18 +18,21 @@ class T1504(AttackTechnique):
|
|||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
||||
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
||||
'result': '$data.result'}}]
|
||||
'result': '$data.result'}},
|
||||
{'$unwind': '$result'},
|
||||
{'$match': {'result': {'$regex': 'profile\.ps1'}}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1504.technique_title(), 'info': []}
|
||||
|
||||
shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
|
||||
powershell_startup_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
|
||||
|
||||
powershell_startup_modification_info =\
|
||||
extract_shell_startup_files_modification_info(shell_startup_files_modification_info, ["profile.ps1"])
|
||||
|
||||
status = get_shell_startup_files_modification_status(powershell_startup_modification_info)
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if powershell_startup_modification_info:
|
||||
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
'data.result.1': True})
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
||||
data.update(T1504.get_base_data_by_status(status))
|
||||
data.update({'info': powershell_startup_modification_info})
|
||||
|
|
|
@ -45,23 +45,3 @@ def censor_hash(hash_, plain_chars=5):
|
|||
return ""
|
||||
hash_ = encryptor.dec(hash_)
|
||||
return hash_[0: plain_chars] + ' ...'
|
||||
|
||||
|
||||
def extract_shell_startup_files_modification_info(shell_startup_files_modification_info, required_file_names):
|
||||
required_shell_startup_files_modification_info = []
|
||||
for shell_startup_file_result in shell_startup_files_modification_info[0]['result']:
|
||||
if any(file_name in shell_startup_file_result[0] for file_name in required_file_names):
|
||||
required_shell_startup_files_modification_info.append({
|
||||
'machine': shell_startup_files_modification_info[0]['machine'],
|
||||
'result': shell_startup_file_result
|
||||
})
|
||||
return required_shell_startup_files_modification_info
|
||||
|
||||
|
||||
def get_shell_startup_files_modification_status(shell_startup_files_modification_info):
|
||||
status = []
|
||||
for startup_file in shell_startup_files_modification_info:
|
||||
status.append(startup_file['result'][1])
|
||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
||||
if status else ScanStatus.UNSCANNED.value
|
||||
return status
|
||||
|
|
Loading…
Reference in New Issue