forked from p15670423/monkey
Use mongo search for report data
(For linux, shows only bash startup files in ATT&CK report)
This commit is contained in:
Shreya
parent
7459105bbc
commit
6f6bfca9f9
|
|
@ -1,5 +1,5 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.reporting.report import ReportService
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
|
||||
|
|
@ -9,30 +9,30 @@ __author__ = "shreyamalviya"
|
|||
|
||||
class T1156(AttackTechnique):
|
||||
tech_id = "T1156"
|
||||
unscanned_msg = "Monkey did not try modifying Linux's shell startup files on the system."
|
||||
scanned_msg = "Monkey tried modifying Linux's shell startup files on the system but failed."
|
||||
used_msg = "Monkey modified Linux's shell startup files on the system."
|
||||
unscanned_msg = "Monkey did not try modifying bash startup files on the system."
|
||||
scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
|
||||
used_msg = "Monkey modified bash startup files on the system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
'data.command': {'$regex': 'bash'}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1156.technique_title(), 'info': []}
|
||||
|
||||
scanned_nodes = ReportService.get_scanned()
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
|
||||
|
||||
for node in scanned_nodes:
|
||||
if node['pba_results'] != 'None':
|
||||
for pba in node['pba_results']:
|
||||
if pba['name'] == POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION:
|
||||
if 'powershell.exe' not in pba['command']:
|
||||
status = ScanStatus.USED.value if pba['result'][1]\
|
||||
else ScanStatus.SCANNED.value
|
||||
data['info'].append({
|
||||
'machine': {
|
||||
'hostname': pba['hostname'],
|
||||
'ips': node['ip_addresses']
|
||||
},
|
||||
'result': pba['result'][0].replace('#', '')
|
||||
})
|
||||
data.update(T1156.get_base_data_by_status(status))
|
||||
status = []
|
||||
for pba_node in bash_modification_info:
|
||||
status.append(pba_node['result'][1])
|
||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
||||
if status else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1156.get_base_data_by_status(status))
|
||||
data.update({'info': bash_modification_info})
|
||||
return data
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.reporting.report import ReportService
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
|
||||
|
|
@ -9,30 +9,30 @@ __author__ = "shreyamalviya"
|
|||
|
||||
class T1504(AttackTechnique):
|
||||
tech_id = "T1504"
|
||||
unscanned_msg = "Monkey did not try modifying Window's shell startup files on the system."
|
||||
scanned_msg = "Monkey tried modifying Window's shell startup files on the system but failed."
|
||||
used_msg = "Monkey modified Window's shell startup files on the system."
|
||||
unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
|
||||
scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
|
||||
used_msg = "Monkey modified powershell startup files on the system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
'data.command': {'$regex': 'powershell'}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1504.technique_title(), 'info': []}
|
||||
|
||||
scanned_nodes = ReportService.get_scanned()
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
|
||||
|
||||
for node in scanned_nodes:
|
||||
if node['pba_results'] != 'None':
|
||||
for pba in node['pba_results']:
|
||||
if pba['name'] == POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION:
|
||||
if 'powershell.exe' in pba['command']:
|
||||
status = ScanStatus.USED.value if pba['result'][1]\
|
||||
else ScanStatus.SCANNED.value
|
||||
data['info'].append({
|
||||
'machine': {
|
||||
'hostname': pba['hostname'],
|
||||
'ips': node['ip_addresses']
|
||||
},
|
||||
'result': pba['result'][0].replace('#', '')
|
||||
})
|
||||
data.update(T1504.get_base_data_by_status(status))
|
||||
status = []
|
||||
for pba_node in powershell_profile_modification_info:
|
||||
status.append(pba_node['result'][1])
|
||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
||||
if status else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1504.get_base_data_by_status(status))
|
||||
data.update({'info': powershell_profile_modification_info})
|
||||
return data
|
||||
|
|
|
|||
Loading…
Reference in New Issue