From 6f6bfca9f9e2f6c7b79d8456f11c201421bed64e Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 22 Jun 2020 17:58:12 +0530 Subject: [PATCH] Use mongo search for report data (For linux, shows only bash startup files in ATT&CK report) --- .../attack/technique_reports/T1156.py | 42 +++++++++---------- .../attack/technique_reports/T1504.py | 42 +++++++++---------- 2 files changed, 42 insertions(+), 42 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py index 9ceb2c027..a1719c909 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py @@ -1,5 +1,5 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique -from monkey_island.cc.services.reporting.report import ReportService +from monkey_island.cc.database import mongo from common.utils.attack_utils import ScanStatus from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION @@ -9,30 +9,30 @@ __author__ = "shreyamalviya" class T1156(AttackTechnique): tech_id = "T1156" - unscanned_msg = "Monkey did not try modifying Linux's shell startup files on the system." - scanned_msg = "Monkey tried modifying Linux's shell startup files on the system but failed." - used_msg = "Monkey modified Linux's shell startup files on the system." + unscanned_msg = "Monkey did not try modifying bash startup files on the system." + scanned_msg = "Monkey tried modifying bash startup files on the system but failed." + used_msg = "Monkey modified bash startup files on the system." + + query = [{'$match': {'telem_category': 'post_breach', + 'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION, + 'data.command': {'$regex': 'bash'}}}, + {'$project': {'_id': 0, + 'machine': {'hostname': '$data.hostname', + 'ips': ['$data.ip']}, + 'result': '$data.result'}}] @staticmethod def get_report_data(): data = {'title': T1156.technique_title(), 'info': []} - scanned_nodes = ReportService.get_scanned() - status = ScanStatus.UNSCANNED.value + bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query)) - for node in scanned_nodes: - if node['pba_results'] != 'None': - for pba in node['pba_results']: - if pba['name'] == POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION: - if 'powershell.exe' not in pba['command']: - status = ScanStatus.USED.value if pba['result'][1]\ - else ScanStatus.SCANNED.value - data['info'].append({ - 'machine': { - 'hostname': pba['hostname'], - 'ips': node['ip_addresses'] - }, - 'result': pba['result'][0].replace('#', '') - }) - data.update(T1156.get_base_data_by_status(status)) + status = [] + for pba_node in bash_modification_info: + status.append(pba_node['result'][1]) + status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ + if status else ScanStatus.UNSCANNED.value + + data.update(T1156.get_base_data_by_status(status)) + data.update({'info': bash_modification_info}) return data diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py index 34e25323e..396067f17 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py @@ -1,5 +1,5 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique -from monkey_island.cc.services.reporting.report import ReportService +from monkey_island.cc.database import mongo from common.utils.attack_utils import ScanStatus from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION @@ -9,30 +9,30 @@ __author__ = "shreyamalviya" class T1504(AttackTechnique): tech_id = "T1504" - unscanned_msg = "Monkey did not try modifying Window's shell startup files on the system." - scanned_msg = "Monkey tried modifying Window's shell startup files on the system but failed." - used_msg = "Monkey modified Window's shell startup files on the system." + unscanned_msg = "Monkey did not try modifying powershell startup files on the system." + scanned_msg = "Monkey tried modifying powershell startup files on the system but failed." + used_msg = "Monkey modified powershell startup files on the system." + + query = [{'$match': {'telem_category': 'post_breach', + 'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION, + 'data.command': {'$regex': 'powershell'}}}, + {'$project': {'_id': 0, + 'machine': {'hostname': '$data.hostname', + 'ips': ['$data.ip']}, + 'result': '$data.result'}}] @staticmethod def get_report_data(): data = {'title': T1504.technique_title(), 'info': []} - scanned_nodes = ReportService.get_scanned() - status = ScanStatus.UNSCANNED.value + powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query)) - for node in scanned_nodes: - if node['pba_results'] != 'None': - for pba in node['pba_results']: - if pba['name'] == POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION: - if 'powershell.exe' in pba['command']: - status = ScanStatus.USED.value if pba['result'][1]\ - else ScanStatus.SCANNED.value - data['info'].append({ - 'machine': { - 'hostname': pba['hostname'], - 'ips': node['ip_addresses'] - }, - 'result': pba['result'][0].replace('#', '') - }) - data.update(T1504.get_base_data_by_status(status)) + status = [] + for pba_node in powershell_profile_modification_info: + status.append(pba_node['result'][1]) + status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ + if status else ScanStatus.UNSCANNED.value + + data.update(T1504.get_base_data_by_status(status)) + data.update({'info': powershell_profile_modification_info}) return data