Generate T1156 and T1504 reports via mongo query

This commit is contained in:
Shreya 2020-07-24 22:43:50 +05:30
parent 90fe06e212
commit eaf0cc854f
3 changed files with 21 additions and 38 deletions

View File

@ -1,10 +1,8 @@
from common.data.post_breach_consts import \ from common.data.post_breach_consts import \
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import (
extract_shell_startup_files_modification_info,
get_shell_startup_files_modification_status)
__author__ = "shreyamalviya" __author__ = "shreyamalviya"
@ -20,18 +18,22 @@ class T1156(AttackTechnique):
{'$project': {'_id': 0, {'$project': {'_id': 0,
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
'result': '$data.result'}}] 'result': '$data.result'}},
{'$unwind': '$result'},
{'$match': {'$or': [{'result': {'$regex': '\.bash'}},
{'result': {'$regex': '\.profile'}}]}}]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1156.technique_title(), 'info': []} data = {'title': T1156.technique_title(), 'info': []}
shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1156.query)) bash_startup_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
bash_startup_modification_info =\ status = ScanStatus.UNSCANNED.value
extract_shell_startup_files_modification_info(shell_startup_files_modification_info, [".bash", ".profile"]) if bash_startup_modification_info:
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
status = get_shell_startup_files_modification_status(bash_startup_modification_info) 'data.result.1': True})
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
data.update(T1156.get_base_data_by_status(status)) data.update(T1156.get_base_data_by_status(status))
data.update({'info': bash_startup_modification_info}) data.update({'info': bash_startup_modification_info})

View File

@ -1,10 +1,8 @@
from common.data.post_breach_consts import \ from common.data.post_breach_consts import \
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import (
extract_shell_startup_files_modification_info,
get_shell_startup_files_modification_status)
__author__ = "shreyamalviya" __author__ = "shreyamalviya"
@ -20,18 +18,21 @@ class T1504(AttackTechnique):
{'$project': {'_id': 0, {'$project': {'_id': 0,
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
'result': '$data.result'}}] 'result': '$data.result'}},
{'$unwind': '$result'},
{'$match': {'result': {'$regex': 'profile\.ps1'}}}]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1504.technique_title(), 'info': []} data = {'title': T1504.technique_title(), 'info': []}
shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1504.query)) powershell_startup_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
powershell_startup_modification_info =\ status = ScanStatus.UNSCANNED.value
extract_shell_startup_files_modification_info(shell_startup_files_modification_info, ["profile.ps1"]) if powershell_startup_modification_info:
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
status = get_shell_startup_files_modification_status(powershell_startup_modification_info) 'data.result.1': True})
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
data.update(T1504.get_base_data_by_status(status)) data.update(T1504.get_base_data_by_status(status))
data.update({'info': powershell_startup_modification_info}) data.update({'info': powershell_startup_modification_info})

View File

@ -45,23 +45,3 @@ def censor_hash(hash_, plain_chars=5):
return "" return ""
hash_ = encryptor.dec(hash_) hash_ = encryptor.dec(hash_)
return hash_[0: plain_chars] + ' ...' return hash_[0: plain_chars] + ' ...'
def extract_shell_startup_files_modification_info(shell_startup_files_modification_info, required_file_names):
required_shell_startup_files_modification_info = []
for shell_startup_file_result in shell_startup_files_modification_info[0]['result']:
if any(file_name in shell_startup_file_result[0] for file_name in required_file_names):
required_shell_startup_files_modification_info.append({
'machine': shell_startup_files_modification_info[0]['machine'],
'result': shell_startup_file_result
})
return required_shell_startup_files_modification_info
def get_shell_startup_files_modification_status(shell_startup_files_modification_info):
status = []
for startup_file in shell_startup_files_modification_info:
status.append(startup_file['result'][1])
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if status else ScanStatus.UNSCANNED.value
return status