Use mongo search for report data

(For linux, shows only bash startup files in ATT&CK report)
This commit is contained in:
Shreya 2020-06-22 17:58:12 +05:30
parent 7459105bbc
commit 6f6bfca9f9
2 changed files with 42 additions and 42 deletions

View File

@ -1,5 +1,5 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.reporting.report import ReportService from monkey_island.cc.database import mongo
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
@ -9,30 +9,30 @@ __author__ = "shreyamalviya"
class T1156(AttackTechnique): class T1156(AttackTechnique):
tech_id = "T1156" tech_id = "T1156"
unscanned_msg = "Monkey did not try modifying Linux's shell startup files on the system." unscanned_msg = "Monkey did not try modifying bash startup files on the system."
scanned_msg = "Monkey tried modifying Linux's shell startup files on the system but failed." scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
used_msg = "Monkey modified Linux's shell startup files on the system." used_msg = "Monkey modified bash startup files on the system."
query = [{'$match': {'telem_category': 'post_breach',
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
'data.command': {'$regex': 'bash'}}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'result': '$data.result'}}]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1156.technique_title(), 'info': []} data = {'title': T1156.technique_title(), 'info': []}
scanned_nodes = ReportService.get_scanned() bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
status = ScanStatus.UNSCANNED.value
for node in scanned_nodes: status = []
if node['pba_results'] != 'None': for pba_node in bash_modification_info:
for pba in node['pba_results']: status.append(pba_node['result'][1])
if pba['name'] == POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION: status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if 'powershell.exe' not in pba['command']: if status else ScanStatus.UNSCANNED.value
status = ScanStatus.USED.value if pba['result'][1]\
else ScanStatus.SCANNED.value data.update(T1156.get_base_data_by_status(status))
data['info'].append({ data.update({'info': bash_modification_info})
'machine': {
'hostname': pba['hostname'],
'ips': node['ip_addresses']
},
'result': pba['result'][0].replace('#', '')
})
data.update(T1156.get_base_data_by_status(status))
return data return data

View File

@ -1,5 +1,5 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.reporting.report import ReportService from monkey_island.cc.database import mongo
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
@ -9,30 +9,30 @@ __author__ = "shreyamalviya"
class T1504(AttackTechnique): class T1504(AttackTechnique):
tech_id = "T1504" tech_id = "T1504"
unscanned_msg = "Monkey did not try modifying Window's shell startup files on the system." unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
scanned_msg = "Monkey tried modifying Window's shell startup files on the system but failed." scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
used_msg = "Monkey modified Window's shell startup files on the system." used_msg = "Monkey modified powershell startup files on the system."
query = [{'$match': {'telem_category': 'post_breach',
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
'data.command': {'$regex': 'powershell'}}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'result': '$data.result'}}]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1504.technique_title(), 'info': []} data = {'title': T1504.technique_title(), 'info': []}
scanned_nodes = ReportService.get_scanned() powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
status = ScanStatus.UNSCANNED.value
for node in scanned_nodes: status = []
if node['pba_results'] != 'None': for pba_node in powershell_profile_modification_info:
for pba in node['pba_results']: status.append(pba_node['result'][1])
if pba['name'] == POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION: status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if 'powershell.exe' in pba['command']: if status else ScanStatus.UNSCANNED.value
status = ScanStatus.USED.value if pba['result'][1]\
else ScanStatus.SCANNED.value data.update(T1504.get_base_data_by_status(status))
data['info'].append({ data.update({'info': powershell_profile_modification_info})
'machine': {
'hostname': pba['hostname'],
'ips': node['ip_addresses']
},
'result': pba['result'][0].replace('#', '')
})
data.update(T1504.get_base_data_by_status(status))
return data return data