Refactor PBA report data code

Only with T1158 for now
This commit is contained in:
Shreya 2020-07-10 20:42:37 +05:30
parent 9217581e1c
commit d25ad3a209
2 changed files with 12 additions and 25 deletions

View File

@ -10,4 +10,4 @@ class T1158(PostBreachTechnique):
unscanned_msg = "Monkey didn't try creating hidden files or folders." unscanned_msg = "Monkey didn't try creating hidden files or folders."
scanned_msg = "Monkey tried creating hidden files and folders on the system but failed." scanned_msg = "Monkey tried creating hidden files and folders on the system but failed."
used_msg = "Monkey created hidden files and folders on the system." used_msg = "Monkey created hidden files and folders on the system."
pba_names = [POST_BREACH_HIDDEN_FILES] pba_name = POST_BREACH_HIDDEN_FILES

View File

@ -1,32 +1,24 @@
import abc import abc
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
""" Class for ATT&CK report components of post-breach actions """
@property @property
@abc.abstractmethod @abc.abstractmethod
def pba_names(self): def pba_name(self):
""" """
:return: name of post breach action :return: name of post breach action
""" """
pass pass
@classmethod @classmethod
def get_pba_query(cls, post_breach_action_names): def get_pba_query(cls, post_breach_action_name):
"""
:param post_breach_action_names: Names of post-breach actions with which the technique is associated
(example - `["Communicate as new user", "Backdoor user"]` for T1136)
:return: Mongo query that parses attack telemetries for a simple report component
(gets machines and post-breach action usage).
"""
return [{'$match': {'telem_category': 'post_breach', return [{'$match': {'telem_category': 'post_breach',
'$or': [{'data.name': pba_name} for pba_name in post_breach_action_names]}}, 'data.name': post_breach_action_name}},
{'$project': {'_id': 0, {'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname', 'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']}, 'ips': ['$data.ip']},
@ -34,20 +26,15 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
@classmethod @classmethod
def get_report_data(cls): def get_report_data(cls):
"""
:return: Technique's report data aggregated from the database
"""
data = {'title': cls.technique_title(), 'info': []} data = {'title': cls.technique_title(), 'info': []}
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names))) info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_name)))
status = ScanStatus.UNSCANNED.value status = []
if info: for pba_node in info:
successful_PBAs = mongo.db.telemetry.count({ status.append(pba_node['result'][1])
'$or': [{'data.name': pba_name} for pba_name in cls.pba_names], status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
'data.result.1': True if status else ScanStatus.UNSCANNED.value
})
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
data.update(cls.get_base_data_by_status(status)) data.update(cls.get_base_data_by_status(status))
data.update({'info': info}) data.update({'info': info})