forked from p15670423/monkey
Merge pull request #582 from shreyamalviya/map-create-user-pba-to-matrix
Map create user PBA to ATT&CK matrix
This commit is contained in:
commit
f3ec436f78
|
@ -4,6 +4,7 @@ from monkey_island.cc.models import Monkey
|
|||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
|
||||
from monkey_island.cc.services.attack.technique_reports import T1136
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report
|
||||
|
@ -35,7 +36,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1018': T1018.T1018,
|
||||
'T1016': T1016.T1016,
|
||||
'T1021': T1021.T1021,
|
||||
'T1064': T1064.T1064
|
||||
'T1064': T1064.T1064,
|
||||
'T1136': T1136.T1136
|
||||
}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
|
|
@ -289,6 +289,22 @@ SCHEMA = {
|
|||
"description": "Data exfiltration is performed over the Command and Control channel."
|
||||
}
|
||||
}
|
||||
},
|
||||
"persistence": {
|
||||
"title": "Persistence",
|
||||
"type": "object",
|
||||
"link": "https://attack.mitre.org/tactics/TA0003/",
|
||||
"properties": {
|
||||
"T1136": {
|
||||
"title": "Create account",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1136",
|
||||
"description": "Adversaries with a sufficient level of access "
|
||||
"may create a local system, domain, or cloud tenant account."
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.reporting.report import ReportService
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
from monkey_island.cc.models import Monkey
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1136(AttackTechnique):
|
||||
tech_id = "T1136"
|
||||
unscanned_msg = "Monkey didn't try creating a new user on the network's systems."
|
||||
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
|
||||
used_msg = "Monkey created a new user on the network's systems."
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1136.technique_title()}
|
||||
|
||||
scanned_nodes = ReportService.get_scanned()
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
for node in scanned_nodes:
|
||||
if node['pba_results'] != 'None':
|
||||
for pba in node['pba_results']:
|
||||
if pba['name'] in [POST_BREACH_BACKDOOR_USER,
|
||||
POST_BREACH_COMMUNICATE_AS_NEW_USER]:
|
||||
status = ScanStatus.USED.value if pba['result'][1]\
|
||||
else ScanStatus.SCANNED.value
|
||||
data.update({
|
||||
'info': [{
|
||||
'machine': {
|
||||
'hostname': pba['hostname'],
|
||||
'ips': node['ip_addresses'],
|
||||
},
|
||||
'result': ': '.join([pba['name'], pba['result'][0]])
|
||||
}]
|
||||
})
|
||||
data.update(T1136.get_message_and_status(status))
|
||||
return data
|
|
@ -140,7 +140,7 @@ SCHEMA = {
|
|||
},
|
||||
],
|
||||
},
|
||||
"post_breach_acts": {
|
||||
"post_breach_actions": {
|
||||
"title": "Post breach actions",
|
||||
"type": "string",
|
||||
"anyOf": [
|
||||
|
@ -150,7 +150,7 @@ SCHEMA = {
|
|||
"BackdoorUser"
|
||||
],
|
||||
"title": "Back door user",
|
||||
"attack_techniques": []
|
||||
"attack_techniques": ["T1136"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
|
@ -158,7 +158,7 @@ SCHEMA = {
|
|||
"CommunicateAsNewUser"
|
||||
],
|
||||
"title": "Communicate as new user",
|
||||
"attack_techniques": []
|
||||
"attack_techniques": ["T1136"]
|
||||
},
|
||||
],
|
||||
},
|
||||
|
@ -375,9 +375,10 @@ SCHEMA = {
|
|||
"type": "array",
|
||||
"uniqueItems": True,
|
||||
"items": {
|
||||
"$ref": "#/definitions/post_breach_acts"
|
||||
"$ref": "#/definitions/post_breach_actions"
|
||||
},
|
||||
"default": [
|
||||
"BackdoorUser",
|
||||
"CommunicateAsNewUser"
|
||||
],
|
||||
"description": "List of actions the Monkey will run post breach"
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
import React from 'react';
|
||||
import ReactTable from 'react-table';
|
||||
import {renderMachineFromSystemData, ScanStatus} from './Helpers'
|
||||
|
||||
class T1136 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{ Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: {'whiteSpace': 'unset'}},
|
||||
{ Header: 'Result',
|
||||
id: 'result',
|
||||
accessor: x => x.result,
|
||||
style: {'whiteSpace': 'unset'}}
|
||||
]
|
||||
}])
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1136.getColumns()}
|
||||
data={this.props.data.info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.info.length}
|
||||
/> : ''}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1136;
|
Loading…
Reference in New Issue