p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add DISABLED status for attack techniques

This commit is contained in:
Shreya 2020-07-11 01:08:41 +05:30
parent d25ad3a209
commit 8078acdf7f
8 changed files with 43 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
View File

@ -1,7 +1,12 @@
from common.data.post_breach_consts import (
POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER)
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
from monkey_island.cc.services.reporting.report import ReportService
__author__ = "shreyamalviya"

9
monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
View File

@ -1,5 +1,8 @@
from common.data.post_breach_consts import \
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
@ -8,7 +11,7 @@ __author__ = "shreyamalviya"
class T1156(PostBreachTechnique):
tech_id = "T1156"
unscanned_msg = "Monkey didn't try modifying bash startup files since it found no Linux machines."
scanned_msg = "Monkey tried modifying bash startup files but failed."
used_msg = "Monkey successfully modified bash startup files."
unscanned_msg = "Monkey did not try modifying bash startup files on the system."
scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
used_msg = "Monkey modified bash startup files on the system."
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]

2
monkey/monkey_island/cc/services/attack/technique_reports/T1158.py
View File

@ -10,4 +10,4 @@ class T1158(PostBreachTechnique):
unscanned_msg = "Monkey didn't try creating hidden files or folders."
scanned_msg = "Monkey tried creating hidden files and folders on the system but failed."
used_msg = "Monkey created hidden files and folders on the system."
pba_name = POST_BREACH_HIDDEN_FILES
pba_names = [POST_BREACH_HIDDEN_FILES]

9
monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
View File

@ -1,5 +1,8 @@
from common.data.post_breach_consts import \
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
@ -8,7 +11,7 @@ __author__ = "shreyamalviya"
class T1504(PostBreachTechnique):
tech_id = "T1504"
unscanned_msg = "Monkey didn't try modifying powershell startup files since it found no Windows machines."
scanned_msg = "Monkey tried modifying powershell startup files but failed."
used_msg = "Monkey successfully modified powershell startup files."
unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
used_msg = "Monkey modified powershell startup files on the system."
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]

19
monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
View File

@ -10,8 +10,7 @@ from monkey_island.cc.services.attack.attack_config import AttackConfig
logger = logging.getLogger(__name__)
disabled_msg = "This technique has been disabled. " +\
"You can enable it from the [configuration page](../../configure)."
disabled_msg = "This technique has been disabled. You can enable it from the configuration page."
class AttackTechnique(object, metaclass=abc.ABCMeta):
@ -74,7 +73,8 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
'data.technique': cls.tech_id}):
return ScanStatus.SCANNED.value
else:
return ScanStatus.UNSCANNED.value
return ScanStatus.DISABLED.value if not AttackConfig.get_technique_values()[cls.tech_id]\
else ScanStatus.UNSCANNED.value
@classmethod
def get_message_and_status(cls, status):
@ -93,7 +93,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
:param status: Enum from common/attack_utils.py integer value
:return: message string
"""
status = cls._check_status(status)
if status == ScanStatus.DISABLED.value:
return disabled_msg
if status == ScanStatus.UNSCANNED.value:
@ -143,12 +142,8 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
return {}
@classmethod
def _check_status(cls, status, *args):
enabled_in_config = args[0] if args else cls._is_enabled_in_config()
if status == ScanStatus.UNSCANNED.value and not enabled_in_config:
return ScanStatus.DISABLED.value
def _check_status(cls, status):
if status == ScanStatus.UNSCANNED.value:
return ScanStatus.DISABLED.value if not AttackConfig.get_technique_values()[cls.tech_id]\
else ScanStatus.UNSCANNED.value
return status
@classmethod
def _is_enabled_in_config(cls):
return AttackConfig.get_technique_values()[cls.tech_id]

13
monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py
View File

@ -9,16 +9,17 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique
class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
@property
@abc.abstractmethod
def pba_name(self):
def pba_names(self):
"""
:return: name of post breach action
"""
pass
@classmethod
def get_pba_query(cls, post_breach_action_name):
def get_pba_query(cls, post_breach_action_names):
return [{'$match': {'telem_category': 'post_breach',
'data.name': post_breach_action_name}},
# 'data.name': post_breach_action_name}},
'$or': [{'data.name': pba_name} for pba_name in post_breach_action_names]}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
@ -28,7 +29,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
def get_report_data(cls):
data = {'title': cls.technique_title(), 'info': []}
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_name)))
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
status = []
for pba_node in info:
@ -36,6 +37,10 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if status else ScanStatus.UNSCANNED.value
if status == ScanStatus.UNSCANNED.value and\
not AttackConfig.get_technique_values()[cls.tech_id]:
status = ScanStatus.DISABLED.value
data.update(cls.get_base_data_by_status(status))
data.update({'info': info})
return data

4
monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
View File

@ -64,10 +64,10 @@ class AttackReport extends React.Component {
return 'collapse-warning';
case ScanStatus.USED:
return 'collapse-danger';
case ScanStatus.UNSCANNED:
return 'collapse-unscanned';
case ScanStatus.DISABLED:
return 'collapse-disabled';
default:
return 'collapse-default';
}
}

10
monkey/monkey_island/cc/ui/src/styles/components/Collapse.scss
View File

@ -3,7 +3,7 @@ $transition: 300ms cubic-bezier(0.6, 0.3, 0.3, 0.6);
$danger-color: #ebbcba;
$disabled-color: #b7c2ff;
$info-color: #ade3eb;
$default-color: #e0ddde;
$unscanned-color: #e0ddde;
$warning-color: #ffe28d;
.collapse-item button {
@ -51,8 +51,12 @@ $warning-color: #ffe28d;
background-color: $info-color !important;
}
.collapse-default {
background-color: $default-color !important;
.collapse-unscanned {
background-color: $unscanned-color !important;
}
.collapse-disabled {
background-color: $disabled-color !important;
}
.collapse-disabled {