diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index ad1bc6281..1af89e7f7 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -1,3 +1,4 @@ +from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION from common.utils.attack_utils import ScanStatus from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports import AttackTechnique @@ -9,14 +10,16 @@ class T1082(AttackTechnique): unscanned_msg = "Monkey didn't gather any system info on the network." scanned_msg = "" used_msg = "Monkey gathered system info from machines in the network." + # TODO: Remove the second item from this list after the TODO in `_run_pba()` in + # `automated_master.py` is resolved. + pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"] - query = [ + query_for_system_info_collectors = [ {"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}}, { "$project": { "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "aws": "$data.aws", - "process_list": "$data.process_list", "ssh_info": "$data.ssh_info", "azure_info": "$data.Azure", } @@ -30,15 +33,6 @@ class T1082(AttackTechnique): "used": {"$and": [{"$gt": ["$aws", {}]}]}, "name": {"$literal": "Amazon Web Services info"}, }, - { - "used": { - "$and": [ - {"$ifNull": ["$process_list", False]}, - {"$gt": ["$process_list", {}]}, - ] - }, - "name": {"$literal": "Running process list"}, - }, { "used": { "$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}] @@ -62,19 +56,51 @@ class T1082(AttackTechnique): {"$replaceRoot": {"newRoot": "$_id"}}, ] + query_for_pbas = [ + { + "$match": { + "$and": [ + {"telem_category": "post_breach"}, + {"$or": [{"data.name": pba_name} for pba_name in pba_names]}, + {"$or": [{"data.os": os} for os in relevant_systems]}, + ] + } + }, + { + "$project": { + "_id": 0, + "machine": { + "hostname": {"$arrayElemAt": ["$data.hostname", 0]}, + "ips": [{"$arrayElemAt": ["$data.ip", 0]}], + }, + "collections": [ + { + "used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]}, + "name": {"$literal": "List of running processes"}, + } + ], + } + }, + ] + @staticmethod def get_report_data(): def get_technique_status_and_data(): - system_info = list(mongo.db.telemetry.aggregate(T1082.query)) - if system_info: + system_info_data = list( + mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors) + ) + pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_pbas)) + technique_data = system_info_data + pba_data + + if technique_data: status = ScanStatus.USED.value else: status = ScanStatus.UNSCANNED.value - return (status, system_info) + return (status, technique_data) - status, system_info = get_technique_status_and_data() + status, technique_data = get_technique_status_and_data() data = {"title": T1082.technique_title()} - data.update({"system_info": system_info}) + data.update({"technique_data": technique_data}) data.update(T1082.get_mitigation_by_status(status)) data.update(T1082.get_message_and_status(status))