From 350c7d93fa67de6d94b88db2e2f5f32efae08972 Mon Sep 17 00:00:00 2001
From: VakarisZ <vakarisz@yahoo.com>
Date: Fri, 7 Jun 2019 11:51:47 +0300
Subject: [PATCH] T1003 credential dumping implemented

---
 .../cc/services/attack/attack_report.py       |  5 ++--
 .../attack/technique_reports/T1003.py         | 25 +++++++++++++++++++
 .../src/components/attack/techniques/T1003.js | 24 ++++++++++++++++++
 .../cc/ui/src/components/pages/ReportPage.js  |  2 +-
 .../report-components/AttackReport.js         |  6 +++--
 5 files changed, 57 insertions(+), 5 deletions(-)
 create mode 100644 monkey/monkey_island/cc/services/attack/technique_reports/T1003.py
 create mode 100644 monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js

diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py
index 49d51ffe5..b1079d8c7 100644
--- a/monkey/monkey_island/cc/services/attack/attack_report.py
+++ b/monkey/monkey_island/cc/services/attack/attack_report.py
@@ -1,5 +1,5 @@
 import logging
-from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075
+from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003
 from monkey_island.cc.services.attack.attack_telem import AttackTelemService
 from monkey_island.cc.services.attack.attack_config import AttackConfig
 from monkey_island.cc.database import mongo
@@ -12,7 +12,8 @@ LOG = logging.getLogger(__name__)
 TECHNIQUES = {'T1210': T1210.T1210,
               'T1197': T1197.T1197,
               'T1110': T1110.T1110,
-              'T1075': T1075.T1075}
+              'T1075': T1075.T1075,
+              'T1003': T1003.T1003}
 
 REPORT_NAME = 'new_report'
 
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py
new file mode 100644
index 000000000..002e2eeb7
--- /dev/null
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py
@@ -0,0 +1,25 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from common.utils.attack_utils import ScanStatus
+from monkey_island.cc.database import mongo
+
+__author__ = "VakarisZ"
+
+
+class T1003(AttackTechnique):
+
+    tech_id = "T1003"
+    unscanned_msg = "Monkey tried to obtain credentials from systems in the network but didn't find any or failed."
+    scanned_msg = "Monkey tried to obtain credentials from systems in the network but didn't find any or failed."
+    used_msg = "Monkey successfully obtained some credentials from systems on the network."
+
+    query = {'telem_type': 'system_info_collection', '$and': [{'data.credentials': {'$exists': True}},
+                                                              {'data.credentials': {'$gt': {}}}]}
+
+    @staticmethod
+    def get_report_data():
+        data = {'title': T1003.technique_title(T1003.tech_id)}
+        if mongo.db.telemetry.count_documents(T1003.query):
+            data.update({'message': T1003.used_msg, 'status': ScanStatus.USED.name})
+        else:
+            data.update({'message': T1003.unscanned_msg, 'status': ScanStatus.UNSCANNED.name})
+        return data
diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js
new file mode 100644
index 000000000..1ec0b000e
--- /dev/null
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js
@@ -0,0 +1,24 @@
+import React from 'react';
+import '../../../styles/Collapse.scss'
+import '../../report-components/StolenPasswords'
+import StolenPasswordsComponent from "../../report-components/StolenPasswords";
+
+
+class T1003 extends React.Component {
+
+  constructor(props) {
+    super(props);
+  }
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        <StolenPasswordsComponent data={this.props.reportData.glance.stolen_creds.concat(this.props.reportData.glance.ssh_keys)}/>
+      </div>
+    );
+  }
+}
+
+export default T1003;
diff --git a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
index 72aeca574..3a21b721e 100644
--- a/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/ReportPage.js
@@ -520,7 +520,7 @@ class ReportPageComponent extends AuthComponent {
                 This report shows information about ATT&CK techniques used by Infection Monkey.
               </p>
               <div>
-                <AttackReport/>
+                <AttackReport reportData={this.state.report}/>
               </div>
               <br />
             </div>)
diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
index 58f8ea4d7..b10b1ff7d 100644
--- a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
+++ b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
@@ -9,12 +9,14 @@ import T1210 from '../attack/techniques/T1210';
 import T1197 from '../attack/techniques/T1197';
 import T1110 from '../attack/techniques/T1110';
 import T1075 from "../attack/techniques/T1075";
+import T1003 from "../attack/techniques/T1003";
 
 const tech_components = {
   'T1210': T1210,
   'T1197': T1197,
   'T1110': T1110,
-  'T1075': T1075
+  'T1075': T1075,
+  'T1003': T1003
 };
 
 const classNames = require('classnames');
@@ -101,7 +103,7 @@ class AttackReportPageComponent extends AuthComponent {
     const TechniqueComponent = tech_components[technique];
     return (
       <div className={`content ${collapseState}`}>
-        <TechniqueComponent data={this.state.report[technique]} />
+        <TechniqueComponent data={this.state.report[technique]} reportData={this.props.reportData}/>
       </div>
     );
   }