forked from p34709852/monkey
Island: Modify T1082's reporting to get data from process collection PBA too
This commit is contained in:
Shreya Malviya
parent
417f40d62d
commit
547d4fce54
|
|
@ -1,3 +1,4 @@
|
|||
from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
|
@ -9,14 +10,16 @@ class T1082(AttackTechnique):
|
|||
unscanned_msg = "Monkey didn't gather any system info on the network."
|
||||
scanned_msg = ""
|
||||
used_msg = "Monkey gathered system info from machines in the network."
|
||||
# TODO: Remove the second item from this list after the TODO in `_run_pba()` in
|
||||
# `automated_master.py` is resolved.
|
||||
pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"]
|
||||
|
||||
query = [
|
||||
query_for_system_info_collectors = [
|
||||
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
||||
{
|
||||
"$project": {
|
||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
||||
"aws": "$data.aws",
|
||||
"process_list": "$data.process_list",
|
||||
"ssh_info": "$data.ssh_info",
|
||||
"azure_info": "$data.Azure",
|
||||
}
|
||||
|
|
@ -30,15 +33,6 @@ class T1082(AttackTechnique):
|
|||
"used": {"$and": [{"$gt": ["$aws", {}]}]},
|
||||
"name": {"$literal": "Amazon Web Services info"},
|
||||
},
|
||||
{
|
||||
"used": {
|
||||
"$and": [
|
||||
{"$ifNull": ["$process_list", False]},
|
||||
{"$gt": ["$process_list", {}]},
|
||||
]
|
||||
},
|
||||
"name": {"$literal": "Running process list"},
|
||||
},
|
||||
{
|
||||
"used": {
|
||||
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
|
||||
|
|
@ -62,19 +56,51 @@ class T1082(AttackTechnique):
|
|||
{"$replaceRoot": {"newRoot": "$_id"}},
|
||||
]
|
||||
|
||||
query_for_pbas = [
|
||||
{
|
||||
"$match": {
|
||||
"$and": [
|
||||
{"telem_category": "post_breach"},
|
||||
{"$or": [{"data.name": pba_name} for pba_name in pba_names]},
|
||||
{"$or": [{"data.os": os} for os in relevant_systems]},
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"$project": {
|
||||
"_id": 0,
|
||||
"machine": {
|
||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
||||
},
|
||||
"collections": [
|
||||
{
|
||||
"used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]},
|
||||
"name": {"$literal": "List of running processes"},
|
||||
}
|
||||
],
|
||||
}
|
||||
},
|
||||
]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
def get_technique_status_and_data():
|
||||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||
if system_info:
|
||||
system_info_data = list(
|
||||
mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors)
|
||||
)
|
||||
pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_pbas))
|
||||
technique_data = system_info_data + pba_data
|
||||
|
||||
if technique_data:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
return (status, system_info)
|
||||
return (status, technique_data)
|
||||
|
||||
status, system_info = get_technique_status_and_data()
|
||||
status, technique_data = get_technique_status_and_data()
|
||||
data = {"title": T1082.technique_title()}
|
||||
data.update({"system_info": system_info})
|
||||
data.update({"technique_data": technique_data})
|
||||
|
||||
data.update(T1082.get_mitigation_by_status(status))
|
||||
data.update(T1082.get_message_and_status(status))
|
||||
|
|
|
|||
Loading…
Reference in New Issue