cc: Add another table for T1086 (PowerShell) used as PBAs

2021-10-11 17:21:40 +05:30 · 2021-10-11 17:21:40 +05:30 · 7fa917581c
parent d82f61d524
commit 7fa917581c
2 changed files with 53 additions and 8 deletions
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@ -48,7 +48,7 @@ class T1086(AttackTechnique):
                "_id": 0,
                "telem_category": 1,
                "machine.hostname": "$data.hostname",
-                "machine.ips": "$data.ip",
+                "machine.ips": [{"$arrayElemAt": ["$data.ip", 0]}],
                "info": "$data.result",
            }
        },
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@ -1,6 +1,6 @@
 import React from 'react';
 import ReactTable from 'react-table';
-import {renderMachine, ScanStatus} from './Helpers'
+import {renderMachine, renderMachineFromSystemData, ScanStatus} from './Helpers'
 import MitigationsComponent from './MitigationsComponent';


@ -10,9 +10,9 @@ class T1086 extends React.Component {
    super(props);
  }

-  static getPowershellColumns() {
+  static getPowershellColumnsForExploits() {
    return ([{
-      Header: 'Example Powershell commands used',
+      Header: 'PowerShell commands used on exploited machines',
      columns: [
        {
          Header: 'Machine',
@ -32,18 +32,63 @@ class T1086 extends React.Component {
    }])
  }

+  static getPowershellColumnsForPBAs() {
+    return ([{
+      Header: 'PowerShell commands or scripts used as PBAs',
+      columns: [
+        {
+          Header: 'Machine',
+          id: 'machine',
+          accessor: x => renderMachineFromSystemData(x.machine),
+          style: {'whiteSpace': 'unset'},
+        },
+        {
+          Header: 'Information',
+          id: 'information',
+          accessor: x => x.info,
+          style: {'whiteSpace': 'unset'}
+        }
+      ]
+    }])
+  }
+
+  getPowershellDataPerCategory(category) {
+    let data = [];
+    for (let rowIdx in this.props.data.cmds) {
+      let row = this.props.data.cmds[rowIdx];
+      if (row.telem_category == category) {
+        data.push(row);
+      }
+    }
+
+    return data
+  }
+
  render() {
+    let data_from_exploits = this.getPowershellDataPerCategory("exploit");
+    let data_from_pbas = this.getPowershellDataPerCategory("post_breach");
+
    return (
      <div>
        <div>{this.props.data.message_html}</div>
        <br/>
        {this.props.data.status === ScanStatus.USED ?
+          <div>
          <ReactTable
-            columns={T1086.getPowershellColumns()}
-            data={this.props.data.cmds}
+            columns={T1086.getPowershellColumnsForExploits()}
+            data={data_from_exploits}
            showPagination={false}
-            defaultPageSize={this.props.data.cmds.length}
-          /> : ''}
+            defaultPageSize={data_from_exploits.length}
+          />
+          <br/>
+          <br/>
+          <ReactTable
+            columns={T1086.getPowershellColumnsForPBAs()}
+            data={data_from_pbas}
+            showPagination={false}
+            defaultPageSize={data_from_pbas.length}
+          />
+          </div> : ''}
        <MitigationsComponent mitigations={this.props.data.mitigations}/>
      </div>
    );