Generate T1156 and T1504 reports via mongo query
This commit is contained in:
parent
90fe06e212
commit
eaf0cc854f
|
@ -1,10 +1,8 @@
|
||||||
from common.data.post_breach_consts import \
|
from common.data.post_breach_consts import \
|
||||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||||
|
from common.utils.attack_utils import ScanStatus
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import (
|
|
||||||
extract_shell_startup_files_modification_info,
|
|
||||||
get_shell_startup_files_modification_status)
|
|
||||||
|
|
||||||
__author__ = "shreyamalviya"
|
__author__ = "shreyamalviya"
|
||||||
|
|
||||||
|
@ -20,18 +18,22 @@ class T1156(AttackTechnique):
|
||||||
{'$project': {'_id': 0,
|
{'$project': {'_id': 0,
|
||||||
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
||||||
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
||||||
'result': '$data.result'}}]
|
'result': '$data.result'}},
|
||||||
|
{'$unwind': '$result'},
|
||||||
|
{'$match': {'$or': [{'result': {'$regex': '\.bash'}},
|
||||||
|
{'result': {'$regex': '\.profile'}}]}}]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
data = {'title': T1156.technique_title(), 'info': []}
|
data = {'title': T1156.technique_title(), 'info': []}
|
||||||
|
|
||||||
shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
|
bash_startup_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
|
||||||
|
|
||||||
bash_startup_modification_info =\
|
status = ScanStatus.UNSCANNED.value
|
||||||
extract_shell_startup_files_modification_info(shell_startup_files_modification_info, [".bash", ".profile"])
|
if bash_startup_modification_info:
|
||||||
|
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||||
status = get_shell_startup_files_modification_status(bash_startup_modification_info)
|
'data.result.1': True})
|
||||||
|
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||||
|
|
||||||
data.update(T1156.get_base_data_by_status(status))
|
data.update(T1156.get_base_data_by_status(status))
|
||||||
data.update({'info': bash_startup_modification_info})
|
data.update({'info': bash_startup_modification_info})
|
||||||
|
|
|
@ -1,10 +1,8 @@
|
||||||
from common.data.post_breach_consts import \
|
from common.data.post_breach_consts import \
|
||||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||||
|
from common.utils.attack_utils import ScanStatus
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
from monkey_island.cc.services.attack.technique_reports.technique_report_tools import (
|
|
||||||
extract_shell_startup_files_modification_info,
|
|
||||||
get_shell_startup_files_modification_status)
|
|
||||||
|
|
||||||
__author__ = "shreyamalviya"
|
__author__ = "shreyamalviya"
|
||||||
|
|
||||||
|
@ -20,18 +18,21 @@ class T1504(AttackTechnique):
|
||||||
{'$project': {'_id': 0,
|
{'$project': {'_id': 0,
|
||||||
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]},
|
||||||
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
'ips': [{'$arrayElemAt': ['$data.ip', 0]}]},
|
||||||
'result': '$data.result'}}]
|
'result': '$data.result'}},
|
||||||
|
{'$unwind': '$result'},
|
||||||
|
{'$match': {'result': {'$regex': 'profile\.ps1'}}}]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
data = {'title': T1504.technique_title(), 'info': []}
|
data = {'title': T1504.technique_title(), 'info': []}
|
||||||
|
|
||||||
shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
|
powershell_startup_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
|
||||||
|
|
||||||
powershell_startup_modification_info =\
|
status = ScanStatus.UNSCANNED.value
|
||||||
extract_shell_startup_files_modification_info(shell_startup_files_modification_info, ["profile.ps1"])
|
if powershell_startup_modification_info:
|
||||||
|
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||||
status = get_shell_startup_files_modification_status(powershell_startup_modification_info)
|
'data.result.1': True})
|
||||||
|
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||||
|
|
||||||
data.update(T1504.get_base_data_by_status(status))
|
data.update(T1504.get_base_data_by_status(status))
|
||||||
data.update({'info': powershell_startup_modification_info})
|
data.update({'info': powershell_startup_modification_info})
|
||||||
|
|
|
@ -45,23 +45,3 @@ def censor_hash(hash_, plain_chars=5):
|
||||||
return ""
|
return ""
|
||||||
hash_ = encryptor.dec(hash_)
|
hash_ = encryptor.dec(hash_)
|
||||||
return hash_[0: plain_chars] + ' ...'
|
return hash_[0: plain_chars] + ' ...'
|
||||||
|
|
||||||
|
|
||||||
def extract_shell_startup_files_modification_info(shell_startup_files_modification_info, required_file_names):
|
|
||||||
required_shell_startup_files_modification_info = []
|
|
||||||
for shell_startup_file_result in shell_startup_files_modification_info[0]['result']:
|
|
||||||
if any(file_name in shell_startup_file_result[0] for file_name in required_file_names):
|
|
||||||
required_shell_startup_files_modification_info.append({
|
|
||||||
'machine': shell_startup_files_modification_info[0]['machine'],
|
|
||||||
'result': shell_startup_file_result
|
|
||||||
})
|
|
||||||
return required_shell_startup_files_modification_info
|
|
||||||
|
|
||||||
|
|
||||||
def get_shell_startup_files_modification_status(shell_startup_files_modification_info):
|
|
||||||
status = []
|
|
||||||
for startup_file in shell_startup_files_modification_info:
|
|
||||||
status.append(startup_file['result'][1])
|
|
||||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
|
||||||
if status else ScanStatus.UNSCANNED.value
|
|
||||||
return status
|
|
||||||
|
|
Loading…
Reference in New Issue