Modifications to get the telemetry feed and reports rendering properly

monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py

@@ -1,3 +1,5 @@
+import subprocess
+
 from common.data.post_breach_consts import \
     POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
 from infection_monkey.post_breach.pba import PBA
@@ -17,7 +19,7 @@ class ModifyShellStartupFiles(PBA):
         super().__init__(name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION)
 
     def run(self):
-        results = [pba.run(return_result=True) for pba in self.modify_shell_startup_PBA_list()]
+        results = [pba.run() for pba in self.modify_shell_startup_PBA_list()]
         PostBreachTelem(self, results).send()
 
     def modify_shell_startup_PBA_list(self):

monkey/monkey_island/cc/resources/telemetry_feed.py

@@ -98,9 +98,9 @@ class TelemetryFeed(flask_restful.Resource):
 
     @staticmethod
     def get_post_breach_telem_brief(telem):
-        return '%s post breach action executed on %s (%s) machine.' % (telem['data']['name'],
-                                                                       telem['data']['hostname'],
-                                                                       telem['data']['ip'])
+        return '%s post breach action executed on %s (%s) machine.' % (telem['data'][0]['name'],
+                                                                       telem['data'][0]['hostname'],
+                                                                       telem['data'][0]['ip'])
 
     @staticmethod
     def should_show_brief(telem):

monkey/monkey_island/cc/services/attack/technique_reports/T1136.py

@@ -18,7 +18,7 @@ class T1136(AttackTechnique):
                                  {'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
-                                       'ips': ['$data.ip']},
+                                       'ips': '$data.ip'},
                            'result': '$data.result'}}]
 
     @staticmethod

monkey/monkey_island/cc/services/attack/technique_reports/T1154.py

@@ -16,7 +16,7 @@ class T1154(AttackTechnique):
                          'data.name': POST_BREACH_TRAP_COMMAND}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
-                                       'ips': ['$data.ip']},
+                                       'ips': '$data.ip'},
                            'result': '$data.result'}}]
 
     @staticmethod

monkey/monkey_island/cc/services/attack/technique_reports/T1158.py

@@ -16,7 +16,7 @@ class T1158(AttackTechnique):
                          'data.name': POST_BREACH_HIDDEN_FILES}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
-                                       'ips': ['$data.ip']},
+                                       'ips': '$data.ip'},
                            'result': '$data.result'}}]
 
     @staticmethod
@@ -25,11 +25,11 @@ class T1158(AttackTechnique):
 
         hidden_file_info = list(mongo.db.telemetry.aggregate(T1158.query))
 
-        status = []
-        for pba_node in hidden_file_info:
-            status.append(pba_node['result'][1])
-        status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
-            if status else ScanStatus.UNSCANNED.value
+        status = ScanStatus.UNSCANNED.value
+        if hidden_file_info:
+            successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_HIDDEN_FILES,
+                                                        'data.result.1': True})
+            status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
 
         data.update(T1158.get_base_data_by_status(status))
         data.update({'info': hidden_file_info})

monkey/monkey_island/cc/services/attack/technique_reports/T1166.py

@@ -16,7 +16,7 @@ class T1166(AttackTechnique):
                          'data.name': POST_BREACH_SETUID_SETGID}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
-                                       'ips': ['$data.ip']},
+                                       'ips': '$data.ip'},
                            'result': '$data.result'}}]
 
     @staticmethod

monkey/monkey_island/cc/services/attack/technique_reports/T1168.py

@@ -17,7 +17,7 @@ class T1168(AttackTechnique):
                          'data.command': {'$regex': 'crontab'}}},
              {'$project': {'_id': 0,
                            'machine': {'hostname': '$data.hostname',
-                                       'ips': ['$data.ip']},
+                                       'ips': '$data.ip'},
                            'result': '$data.result'}}]
 
     @staticmethod
@@ -26,8 +26,11 @@ class T1168(AttackTechnique):
 
         job_scheduling_info = list(mongo.db.telemetry.aggregate(T1168.query))
 
-        status = (ScanStatus.USED.value if job_scheduling_info[0]['result'][1]
-                  else ScanStatus.SCANNED.value) if job_scheduling_info else ScanStatus.UNSCANNED.value
+        status = ScanStatus.UNSCANNED.value
+        if job_scheduling_info:
+            successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_JOB_SCHEDULING,
+                                                        'data.result.1': True})
+            status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
 
         data.update(T1168.get_base_data_by_status(status))
         data.update({'info': job_scheduling_info})

monkey/monkey_island/cc/services/telemetry/processing/post_breach.py

@@ -18,38 +18,38 @@ def process_communicate_as_new_user_telemetry(telemetry_json):
     test_new_user_communication(current_monkey, success, message)
 
 
-def process_shell_startup_file_modification_telemetry(telemetry_json):
-    modified_data = []
-    for result in telemetry_json['data']['result']:
-        temp = copy.deepcopy(telemetry_json['data'])
-        temp['result'] = result
-        modified_data.append(temp)
+def modify_data(telemetry_json):
+    modified_data = [telemetry_json['data']]
+    if type(telemetry_json['data']['result'][0]) is list:
+        modified_data = []
+        for result in telemetry_json['data']['result']:
+            temp = copy.deepcopy(telemetry_json['data'])
+            temp['result'] = result
+            modified_data.append(temp)
     telemetry_json['data'] = modified_data
 
 
 POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
     POST_BREACH_COMMUNICATE_AS_NEW_USER: process_communicate_as_new_user_telemetry,
-    POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION: process_shell_startup_file_modification_telemetry,
 }
 
 
 def process_post_breach_telemetry(telemetry_json):
+    def modify_blank_outputs(data):
+        if not data['result'][0]:
+            data['result'][0] = EXECUTION_WITHOUT_OUTPUT
+
+    def update_data(data):
+        modify_blank_outputs(data)
+        mongo.db.monkey.update(
+            {'guid': telemetry_json['monkey_guid']},
+            {'$push': {'pba_results': data}})
+
     post_breach_action_name = telemetry_json["data"]["name"]
     if post_breach_action_name in POST_BREACH_TELEMETRY_PROCESSING_FUNCS:
         POST_BREACH_TELEMETRY_PROCESSING_FUNCS[post_breach_action_name](telemetry_json)
 
-    if type(telemetry_json['data']) is list:
-        for pba_data in telemetry_json['data']:
-            modify_blank_outputs(pba_data)
-            mongo.db.monkey.update(
-                {'guid': telemetry_json['monkey_guid']},
-                {'$push': {'pba_results': pba_data}})
-    else:
-        modify_blank_outputs(telemetry_json['data'])
-        mongo.db.monkey.update(
-            {'guid': telemetry_json['monkey_guid']},
-            {'$push': {'pba_results': telemetry_json['data']}})
+    modify_data(telemetry_json)
 
-    def modify_blank_outputs(data):
-        if not data['result']:
-            data['result'] = EXECUTION_WITHOUT_OUTPUT
+    for pba_data in telemetry_json['data']:
+        update_data(pba_data)