Merge pull request #382 from VakarisZ/attack_data_from_system

T1005 Data from local system

monkey/infection_monkey/system_info/SSH_info_collector.py

@@ -3,6 +3,9 @@ import pwd
 import os
 import glob
 
+from common.utils.attack_utils import ScanStatus
+from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
+
 __author__ = 'VakarisZ'
 
 LOG = logging.getLogger(__name__)
@@ -71,6 +74,7 @@ class SSHCollector(object):
                                             if private_key.find('ENCRYPTED') == -1:
                                                 info['private_key'] = private_key
                                                 LOG.info("Found private key in %s" % private)
+                                                T1005Telem(ScanStatus.USED, 'SSH key', "Path: %s" % private).send()
                                             else:
                                                 continue
                                     except (IOError, OSError):

monkey/infection_monkey/system_info/azure_cred_collector.py

@@ -5,6 +5,9 @@ import json
 import glob
 import subprocess
 
+from common.utils.attack_utils import ScanStatus
+from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
+
 __author__ = 'danielg'
 
 LOG = logging.getLogger(__name__)
@@ -54,6 +57,7 @@ class AzureCollector(object):
             decrypt_proc = subprocess.Popen(decrypt_command.split(), stdout=subprocess.PIPE, stdin=subprocess.PIPE)
             decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
             decrypt_data = json.loads(decrypt_raw)
+            T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
             return decrypt_data['username'], decrypt_data['password']
         except IOError:
             LOG.warning("Failed to parse VM Access plugin file. Could not open file")
@@ -92,6 +96,7 @@ class AzureCollector(object):
             # this is disgusting but the alternative is writing the file to disk...
             password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1]
             password = json.loads(password_raw)["Password"]
+            T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
             return username, password
         except IOError:
             LOG.warning("Failed to parse VM Access plugin file. Could not open file")

monkey/infection_monkey/telemetry/attack/t1005_telem.py

@@ -0,0 +1,22 @@
+from infection_monkey.telemetry.attack.attack_telem import AttackTelem
+
+
+class T1005Telem(AttackTelem):
+    def __init__(self, status, gathered_data_type, info=""):
+        """
+        T1005 telemetry.
+        :param status: ScanStatus of technique
+        :param gathered_data_type: Type of data collected from local system
+        :param info: Additional info about data
+        """
+        super(T1005Telem, self).__init__('T1005', status)
+        self.gathered_data_type = gathered_data_type
+        self.info = info
+
+    def get_data(self):
+        data = super(T1005Telem, self).get_data()
+        data.update({
+            'gathered_data_type': self.gathered_data_type,
+            'info': self.info
+        })
+        return data

monkey/monkey_island/cc/services/attack/attack_report.py

@@ -3,7 +3,7 @@ import logging
 from monkey_island.cc.models import Monkey
 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
-from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222
+from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005
 from monkey_island.cc.services.attack.attack_config import AttackConfig
 from monkey_island.cc.database import mongo
 
@@ -30,7 +30,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
               'T1188': T1188.T1188,
               'T1090': T1090.T1090,
               'T1041': T1041.T1041,
-              'T1222': T1222.T1222}
+              'T1222': T1222.T1222,
+              'T1005': T1005.T1005}
 
 REPORT_NAME = 'new_report'
 

monkey/monkey_island/cc/services/attack/attack_schema.py

@@ -182,6 +182,20 @@ SCHEMA = {
                 }
             }
         },
+        "collection": {
+            "title": "Collection",
+            "type": "object",
+            "properties": {
+                "T1005": {
+                    "title": "T1005 Data from local system",
+                    "type": "bool",
+                    "value": True,
+                    "necessary": False,
+                    "description": "Sensitive data can be collected from local system sources, such as the file system "
+                                   "or databases of information residing on the system prior to Exfiltration."
+                }
+            }
+        },
         "command_and_control": {
             "title": "Command and Control",
             "type": "object",

monkey/monkey_island/cc/services/attack/technique_reports/T1005.py

@@ -0,0 +1,34 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from monkey_island.cc.database import mongo
+
+__author__ = "VakarisZ"
+
+
+class T1005(AttackTechnique):
+
+    tech_id = "T1005"
+    unscanned_msg = "Monkey didn't gather any sensitive data from local system."
+    scanned_msg = ""
+    used_msg = "Monkey successfully gathered sensitive data from local system."
+
+    query = [{'$match': {'telem_category': 'attack',
+                         'data.technique': tech_id}},
+             {'$lookup': {'from': 'monkey',
+                          'localField': 'monkey_guid',
+                          'foreignField': 'guid',
+                          'as': 'monkey'}},
+             {'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
+                           'status': '$data.status',
+                           'gathered_data_type': '$data.gathered_data_type',
+                           'info': '$data.info'}},
+             {'$addFields': {'_id': 0,
+                             'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
+                             'monkey': 0}},
+             {'$group': {'_id': {'machine': '$machine', 'gathered_data_type': '$gathered_data_type', 'info': '$info'}}},
+             {"$replaceRoot": {"newRoot": "$_id"}}]
+
+    @staticmethod
+    def get_report_data():
+        data = T1005.get_tech_base_data()
+        data.update({'collected_data': list(mongo.db.telemetry.aggregate(T1005.query))})
+        return data

monkey/monkey_island/cc/services/config_schema.py

@@ -422,7 +422,7 @@ SCHEMA = {
                             "title": "Collect system info",
                             "type": "boolean",
                             "default": True,
-                            "attack_techniques": ["T1082"],
+                            "attack_techniques": ["T1082", "T1005"],
                             "description": "Determines whether to collect system info"
                         },
                         "should_use_mimikatz": {

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1005.js

@@ -0,0 +1,38 @@
+import React from 'react';
+import '../../../styles/Collapse.scss'
+import ReactTable from "react-table";
+import {renderMachineFromSystemData, ScanStatus} from "./Helpers";
+
+class T1005 extends React.Component {
+
+  constructor(props) {
+    super(props);
+  }
+
+  static getDataColumns() {
+    return ([{
+      Header: "Sensitive data",
+      columns: [
+        {Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x.machine), style: { 'whiteSpace': 'unset' }},
+        {Header: 'Type', id: 'type', accessor: x => x.gathered_data_type, style: { 'whiteSpace': 'unset' }},
+        {Header: 'Info', id: 'info', accessor: x => x.info, style: { 'whiteSpace': 'unset' }},
+        ]}])};
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        {this.props.data.status === ScanStatus.USED ?
+          <ReactTable
+              columns={T1005.getDataColumns()}
+              data={this.props.data.collected_data}
+              showPagination={false}
+              defaultPageSize={this.props.data.collected_data.length}
+          /> : ""}
+      </div>
+    );
+  }
+}
+
+export default T1005;

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1222.js

@@ -1,7 +1,7 @@
 import React from 'react';
 import '../../../styles/Collapse.scss'
 import ReactTable from "react-table";
-import { renderMachine, scanStatus } from "./Helpers"
+import { renderMachine, ScanStatus } from "./Helpers"
 
 
 class T1222 extends React.Component {
@@ -24,7 +24,7 @@ class T1222 extends React.Component {
       <div>
         <div>{this.props.data.message}</div>
         <br/>
-        {this.props.data.status === scanStatus.USED ?
+        {this.props.data.status === ScanStatus.USED ?
           <ReactTable
               columns={T1222.getCommandColumns()}
               data={this.props.data.commands}

monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js

@@ -25,6 +25,7 @@ import T1188 from "../attack/techniques/T1188";
 import T1090 from "../attack/techniques/T1090";
 import T1041 from "../attack/techniques/T1041";
 import T1222 from "../attack/techniques/T1222";
+import T1005 from "../attack/techniques/T1005";
 
 const tech_components = {
   'T1210': T1210,
@@ -45,7 +46,8 @@ const tech_components = {
   'T1188': T1188,
   'T1090': T1090,
   'T1041': T1041,
-  'T1222': T1222
+  'T1222': T1222,
+  'T1005': T1005
 };
 
 const classNames = require('classnames');