From e19c3c20eb63f434a28f5ce6eee4349cd6aa1992 Mon Sep 17 00:00:00 2001 From: Shreya Date: Fri, 24 Jul 2020 22:43:50 +0530 Subject: [PATCH] Generate T1156 and T1504 reports via mongo query --- .../attack/technique_reports/T1156.py | 20 ++++++++++--------- .../attack/technique_reports/T1504.py | 19 +++++++++--------- .../technique_report_tools.py | 20 ------------------- 3 files changed, 21 insertions(+), 38 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py index ed61bbc94..a379c3907 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py @@ -1,10 +1,8 @@ from common.data.post_breach_consts import \ POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION +from common.utils.attack_utils import ScanStatus from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports import AttackTechnique -from monkey_island.cc.services.attack.technique_reports.technique_report_tools import ( - extract_shell_startup_files_modification_info, - get_shell_startup_files_modification_status) __author__ = "shreyamalviya" @@ -20,18 +18,22 @@ class T1156(AttackTechnique): {'$project': {'_id': 0, 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, - 'result': '$data.result'}}] + 'result': '$data.result'}}, + {'$unwind': '$result'}, + {'$match': {'$or': [{'result': {'$regex': '\.bash'}}, + {'result': {'$regex': '\.profile'}}]}}] @staticmethod def get_report_data(): data = {'title': T1156.technique_title(), 'info': []} - shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1156.query)) + bash_startup_modification_info = list(mongo.db.telemetry.aggregate(T1156.query)) - bash_startup_modification_info =\ - extract_shell_startup_files_modification_info(shell_startup_files_modification_info, [".bash", ".profile"]) - - status = get_shell_startup_files_modification_status(bash_startup_modification_info) + status = ScanStatus.UNSCANNED.value + if bash_startup_modification_info: + successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION, + 'data.result.1': True}) + status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value data.update(T1156.get_base_data_by_status(status)) data.update({'info': bash_startup_modification_info}) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py index 4da6ffd17..b1013085e 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py @@ -1,10 +1,8 @@ from common.data.post_breach_consts import \ POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION +from common.utils.attack_utils import ScanStatus from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports import AttackTechnique -from monkey_island.cc.services.attack.technique_reports.technique_report_tools import ( - extract_shell_startup_files_modification_info, - get_shell_startup_files_modification_status) __author__ = "shreyamalviya" @@ -20,18 +18,21 @@ class T1504(AttackTechnique): {'$project': {'_id': 0, 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, - 'result': '$data.result'}}] + 'result': '$data.result'}}, + {'$unwind': '$result'}, + {'$match': {'result': {'$regex': 'profile\.ps1'}}}] @staticmethod def get_report_data(): data = {'title': T1504.technique_title(), 'info': []} - shell_startup_files_modification_info = list(mongo.db.telemetry.aggregate(T1504.query)) + powershell_startup_modification_info = list(mongo.db.telemetry.aggregate(T1504.query)) - powershell_startup_modification_info =\ - extract_shell_startup_files_modification_info(shell_startup_files_modification_info, ["profile.ps1"]) - - status = get_shell_startup_files_modification_status(powershell_startup_modification_info) + status = ScanStatus.UNSCANNED.value + if powershell_startup_modification_info: + successful_PBAs = mongo.db.telemetry.count({'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION, + 'data.result.1': True}) + status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value data.update(T1504.get_base_data_by_status(status)) data.update({'info': powershell_startup_modification_info}) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/technique_report_tools.py b/monkey/monkey_island/cc/services/attack/technique_reports/technique_report_tools.py index 88dbaab58..44b2fdd82 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/technique_report_tools.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/technique_report_tools.py @@ -45,23 +45,3 @@ def censor_hash(hash_, plain_chars=5): return "" hash_ = encryptor.dec(hash_) return hash_[0: plain_chars] + ' ...' - - -def extract_shell_startup_files_modification_info(shell_startup_files_modification_info, required_file_names): - required_shell_startup_files_modification_info = [] - for shell_startup_file_result in shell_startup_files_modification_info[0]['result']: - if any(file_name in shell_startup_file_result[0] for file_name in required_file_names): - required_shell_startup_files_modification_info.append({ - 'machine': shell_startup_files_modification_info[0]['machine'], - 'result': shell_startup_file_result - }) - return required_shell_startup_files_modification_info - - -def get_shell_startup_files_modification_status(shell_startup_files_modification_info): - status = [] - for startup_file in shell_startup_files_modification_info: - status.append(startup_file['result'][1]) - status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ - if status else ScanStatus.UNSCANNED.value - return status