Modifications to get the telemetry feed and reports rendering properly

This commit is contained in:
Shreya 2020-07-24 16:41:46 +05:30
parent 5a7e8a0b08
commit 90fe06e212
8 changed files with 42 additions and 37 deletions

View File

@ -1,3 +1,5 @@
import subprocess
from common.data.post_breach_consts import \
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
from infection_monkey.post_breach.pba import PBA
@ -17,7 +19,7 @@ class ModifyShellStartupFiles(PBA):
super().__init__(name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION)
def run(self):
results = [pba.run(return_result=True) for pba in self.modify_shell_startup_PBA_list()]
results = [pba.run() for pba in self.modify_shell_startup_PBA_list()]
PostBreachTelem(self, results).send()
def modify_shell_startup_PBA_list(self):

View File

@ -98,9 +98,9 @@ class TelemetryFeed(flask_restful.Resource):
@staticmethod
def get_post_breach_telem_brief(telem):
return '%s post breach action executed on %s (%s) machine.' % (telem['data']['name'],
telem['data']['hostname'],
telem['data']['ip'])
return '%s post breach action executed on %s (%s) machine.' % (telem['data'][0]['name'],
telem['data'][0]['hostname'],
telem['data'][0]['ip'])
@staticmethod
def should_show_brief(telem):

View File

@ -18,7 +18,7 @@ class T1136(AttackTechnique):
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'ips': '$data.ip'},
'result': '$data.result'}}]
@staticmethod

View File

@ -16,7 +16,7 @@ class T1154(AttackTechnique):
'data.name': POST_BREACH_TRAP_COMMAND}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'ips': '$data.ip'},
'result': '$data.result'}}]
@staticmethod

View File

@ -16,7 +16,7 @@ class T1158(AttackTechnique):
'data.name': POST_BREACH_HIDDEN_FILES}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'ips': '$data.ip'},
'result': '$data.result'}}]
@staticmethod
@ -25,11 +25,11 @@ class T1158(AttackTechnique):
hidden_file_info = list(mongo.db.telemetry.aggregate(T1158.query))
status = []
for pba_node in hidden_file_info:
status.append(pba_node['result'][1])
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if status else ScanStatus.UNSCANNED.value
status = ScanStatus.UNSCANNED.value
if hidden_file_info:
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_HIDDEN_FILES,
'data.result.1': True})
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
data.update(T1158.get_base_data_by_status(status))
data.update({'info': hidden_file_info})

View File

@ -16,7 +16,7 @@ class T1166(AttackTechnique):
'data.name': POST_BREACH_SETUID_SETGID}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'ips': '$data.ip'},
'result': '$data.result'}}]
@staticmethod

View File

@ -17,7 +17,7 @@ class T1168(AttackTechnique):
'data.command': {'$regex': 'crontab'}}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'ips': '$data.ip'},
'result': '$data.result'}}]
@staticmethod
@ -26,8 +26,11 @@ class T1168(AttackTechnique):
job_scheduling_info = list(mongo.db.telemetry.aggregate(T1168.query))
status = (ScanStatus.USED.value if job_scheduling_info[0]['result'][1]
else ScanStatus.SCANNED.value) if job_scheduling_info else ScanStatus.UNSCANNED.value
status = ScanStatus.UNSCANNED.value
if job_scheduling_info:
successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_JOB_SCHEDULING,
'data.result.1': True})
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
data.update(T1168.get_base_data_by_status(status))
data.update({'info': job_scheduling_info})

View File

@ -18,7 +18,9 @@ def process_communicate_as_new_user_telemetry(telemetry_json):
test_new_user_communication(current_monkey, success, message)
def process_shell_startup_file_modification_telemetry(telemetry_json):
def modify_data(telemetry_json):
modified_data = [telemetry_json['data']]
if type(telemetry_json['data']['result'][0]) is list:
modified_data = []
for result in telemetry_json['data']['result']:
temp = copy.deepcopy(telemetry_json['data'])
@ -29,27 +31,25 @@ def process_shell_startup_file_modification_telemetry(telemetry_json):
POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
POST_BREACH_COMMUNICATE_AS_NEW_USER: process_communicate_as_new_user_telemetry,
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION: process_shell_startup_file_modification_telemetry,
}
def process_post_breach_telemetry(telemetry_json):
def modify_blank_outputs(data):
if not data['result'][0]:
data['result'][0] = EXECUTION_WITHOUT_OUTPUT
def update_data(data):
modify_blank_outputs(data)
mongo.db.monkey.update(
{'guid': telemetry_json['monkey_guid']},
{'$push': {'pba_results': data}})
post_breach_action_name = telemetry_json["data"]["name"]
if post_breach_action_name in POST_BREACH_TELEMETRY_PROCESSING_FUNCS:
POST_BREACH_TELEMETRY_PROCESSING_FUNCS[post_breach_action_name](telemetry_json)
if type(telemetry_json['data']) is list:
for pba_data in telemetry_json['data']:
modify_blank_outputs(pba_data)
mongo.db.monkey.update(
{'guid': telemetry_json['monkey_guid']},
{'$push': {'pba_results': pba_data}})
else:
modify_blank_outputs(telemetry_json['data'])
mongo.db.monkey.update(
{'guid': telemetry_json['monkey_guid']},
{'$push': {'pba_results': telemetry_json['data']}})
modify_data(telemetry_json)
def modify_blank_outputs(data):
if not data['result']:
data['result'] = EXECUTION_WITHOUT_OUTPUT
for pba_data in telemetry_json['data']:
update_data(pba_data)