forked from p34709852/monkey
Merge remote-tracking branch 'upstream/develop' into password_setup
# Conflicts: # .travis.yml
This commit is contained in:
commit
7462c1c701
|
@ -65,7 +65,7 @@ script:
|
|||
- cd monkey_island/cc/ui
|
||||
- npm ci # See https://docs.npmjs.com/cli/ci.html
|
||||
- eslint ./src --quiet # Test for errors
|
||||
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=500
|
||||
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=90
|
||||
- eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT # Test for max warnings
|
||||
|
||||
after_success:
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user"
|
||||
POST_BREACH_BACKDOOR_USER = "Backdoor user"
|
||||
POST_BREACH_FILE_EXECUTION = "File execution"
|
||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file"
|
||||
POST_BREACH_HIDDEN_FILES = "Hide files and directories"
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
from common.data.post_breach_consts import POST_BREACH_HIDDEN_FILES
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
|
||||
from infection_monkey.utils.hidden_files import\
|
||||
get_commands_to_hide_files,\
|
||||
get_commands_to_hide_folders,\
|
||||
cleanup_hidden_files,\
|
||||
get_winAPI_to_hide_files
|
||||
from infection_monkey.utils.environment import is_windows_os
|
||||
|
||||
|
||||
HIDDEN_FSO_CREATION_COMMANDS = [get_commands_to_hide_files,
|
||||
get_commands_to_hide_folders]
|
||||
|
||||
|
||||
class HiddenFiles(PBA):
|
||||
"""
|
||||
This PBA attempts to create hidden files and folders.
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
super(HiddenFiles, self).__init__(name=POST_BREACH_HIDDEN_FILES)
|
||||
|
||||
def run(self):
|
||||
# create hidden files and folders
|
||||
for function_to_get_commands in HIDDEN_FSO_CREATION_COMMANDS:
|
||||
linux_cmds, windows_cmds = function_to_get_commands()
|
||||
super(HiddenFiles, self).__init__(name=POST_BREACH_HIDDEN_FILES,
|
||||
linux_cmd=' '.join(linux_cmds),
|
||||
windows_cmd=windows_cmds)
|
||||
super(HiddenFiles, self).run()
|
||||
if is_windows_os(): # use winAPI
|
||||
result, status = get_winAPI_to_hide_files()
|
||||
PostBreachTelem(self, (result, status)).send()
|
||||
|
||||
# cleanup hidden files and folders
|
||||
cleanup_hidden_files(is_windows_os())
|
|
@ -0,0 +1,44 @@
|
|||
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.post_breach.shell_startup_files.shell_startup_files_modification import\
|
||||
get_commands_to_modify_shell_startup_files
|
||||
|
||||
|
||||
class ModifyShellStartupFiles(PBA):
|
||||
"""
|
||||
This PBA attempts to modify shell startup files,
|
||||
like ~/.profile, ~/.bashrc, ~/.bash_profile in linux,
|
||||
and profile.ps1 in windows.
|
||||
"""
|
||||
|
||||
def run(self):
|
||||
[pba.run() for pba in self.modify_shell_startup_PBA_list()]
|
||||
|
||||
def modify_shell_startup_PBA_list(self):
|
||||
return ShellStartupPBAGenerator.get_modify_shell_startup_pbas()
|
||||
|
||||
|
||||
class ShellStartupPBAGenerator():
|
||||
def get_modify_shell_startup_pbas():
|
||||
(cmds_for_linux, shell_startup_files_for_linux, usernames_for_linux),\
|
||||
(cmds_for_windows, shell_startup_files_per_user_for_windows) = get_commands_to_modify_shell_startup_files()
|
||||
|
||||
pbas = []
|
||||
|
||||
for startup_file_per_user in shell_startup_files_per_user_for_windows:
|
||||
windows_cmds = ' '.join(cmds_for_windows).format(startup_file_per_user)
|
||||
pbas.append(ModifyShellStartupFile(linux_cmds='', windows_cmds=['powershell.exe', windows_cmds]))
|
||||
|
||||
for username in usernames_for_linux:
|
||||
for shell_startup_file in shell_startup_files_for_linux:
|
||||
linux_cmds = ' '.join(cmds_for_linux).format(shell_startup_file).format(username)
|
||||
pbas.append(ModifyShellStartupFile(linux_cmds=linux_cmds, windows_cmds=''))
|
||||
|
||||
return pbas
|
||||
|
||||
|
||||
class ModifyShellStartupFile(PBA):
|
||||
def __init__(self, linux_cmds, windows_cmds):
|
||||
super(ModifyShellStartupFile, self).__init__(name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
linux_cmd=linux_cmds,
|
||||
windows_cmd=windows_cmds)
|
|
@ -57,11 +57,12 @@ class PBA(Plugin):
|
|||
"""
|
||||
Runs post breach action command
|
||||
"""
|
||||
exec_funct = self._execute_default
|
||||
result = exec_funct()
|
||||
if self.scripts_were_used_successfully(result):
|
||||
T1064Telem(ScanStatus.USED, "Scripts were used to execute %s post breach action." % self.name).send()
|
||||
PostBreachTelem(self, result).send()
|
||||
if self.command:
|
||||
exec_funct = self._execute_default
|
||||
result = exec_funct()
|
||||
if self.scripts_were_used_successfully(result):
|
||||
T1064Telem(ScanStatus.USED, "Scripts were used to execute %s post breach action." % self.name).send()
|
||||
PostBreachTelem(self, result).send()
|
||||
|
||||
def is_script(self):
|
||||
"""
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
import subprocess
|
||||
from infection_monkey.utils.environment import is_windows_os
|
||||
|
||||
|
||||
def get_linux_commands_to_modify_shell_startup_files():
|
||||
if is_windows_os():
|
||||
return '', [], []
|
||||
|
||||
HOME_DIR = "/home/"
|
||||
|
||||
# get list of usernames
|
||||
USERS = subprocess.check_output( # noqa: DUO116
|
||||
"cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1",
|
||||
shell=True
|
||||
).decode().split('\n')[:-1]
|
||||
|
||||
# get list of paths of different shell startup files with place for username
|
||||
STARTUP_FILES = [
|
||||
file_path.format(HOME_DIR) for file_path in
|
||||
[
|
||||
"{0}{{0}}/.profile", # bash, dash, ksh, sh
|
||||
"{0}{{0}}/.bashrc", # bash
|
||||
"{0}{{0}}/.bash_profile",
|
||||
"{0}{{0}}/.config/fish/config.fish", # fish
|
||||
"{0}{{0}}/.zshrc", # zsh
|
||||
"{0}{{0}}/.zshenv",
|
||||
"{0}{{0}}/.zprofile",
|
||||
"{0}{{0}}/.kshrc", # ksh
|
||||
"{0}{{0}}/.tcshrc", # tcsh
|
||||
"{0}{{0}}/.cshrc", # csh
|
||||
]
|
||||
]
|
||||
|
||||
return [
|
||||
'3<{0} 3<&- &&', # check for existence of file
|
||||
'echo \"# Succesfully modified {0}\" |',
|
||||
'tee -a {0} &&', # append to file
|
||||
'sed -i \'$d\' {0}', # remove last line of file (undo changes)
|
||||
], STARTUP_FILES, USERS
|
|
@ -0,0 +1,10 @@
|
|||
from infection_monkey.post_breach.shell_startup_files.linux.shell_startup_files_modification import\
|
||||
get_linux_commands_to_modify_shell_startup_files
|
||||
from infection_monkey.post_breach.shell_startup_files.windows.shell_startup_files_modification import\
|
||||
get_windows_commands_to_modify_shell_startup_files
|
||||
|
||||
|
||||
def get_commands_to_modify_shell_startup_files():
|
||||
linux_cmds = get_linux_commands_to_modify_shell_startup_files()
|
||||
windows_cmds = get_windows_commands_to_modify_shell_startup_files()
|
||||
return linux_cmds, windows_cmds
|
|
@ -0,0 +1,27 @@
|
|||
import subprocess
|
||||
from infection_monkey.utils.environment import is_windows_os
|
||||
|
||||
|
||||
def get_windows_commands_to_modify_shell_startup_files():
|
||||
if not is_windows_os():
|
||||
return '', []
|
||||
|
||||
# get powershell startup file path
|
||||
SHELL_STARTUP_FILE = subprocess.check_output('powershell $Profile').decode().split("\r\n")[0]
|
||||
SHELL_STARTUP_FILE_PATH_COMPONENTS = SHELL_STARTUP_FILE.split("\\")
|
||||
|
||||
# get list of usernames
|
||||
USERS = subprocess.check_output('dir C:\\Users /b', shell=True).decode().split("\r\n")[:-1] # noqa: DUO116
|
||||
|
||||
STARTUP_FILES_PER_USER = ['\\'.join(SHELL_STARTUP_FILE_PATH_COMPONENTS[:2] +
|
||||
[user] +
|
||||
SHELL_STARTUP_FILE_PATH_COMPONENTS[3:])
|
||||
for user in USERS]
|
||||
|
||||
return [
|
||||
'Add-Content {0}',
|
||||
'\"# Successfully modified {0}\" ;', # add line to $profile
|
||||
'cat {0} | Select -last 1 ;', # print last line of $profile
|
||||
'$OldProfile = cat {0} | Select -skiplast 1 ;',
|
||||
'Set-Content {0} -Value $OldProfile ;' # remove last line of $profile
|
||||
], STARTUP_FILES_PER_USER
|
|
@ -0,0 +1,29 @@
|
|||
import subprocess
|
||||
from infection_monkey.utils.linux.hidden_files import\
|
||||
get_linux_commands_to_hide_files,\
|
||||
get_linux_commands_to_hide_folders,\
|
||||
get_linux_commands_to_delete
|
||||
from infection_monkey.utils.windows.hidden_files import\
|
||||
get_windows_commands_to_hide_files,\
|
||||
get_windows_commands_to_hide_folders,\
|
||||
get_winAPI_to_hide_files,\
|
||||
get_windows_commands_to_delete
|
||||
from infection_monkey.utils.environment import is_windows_os
|
||||
|
||||
|
||||
def get_commands_to_hide_files():
|
||||
linux_cmds = get_linux_commands_to_hide_files()
|
||||
windows_cmds = get_windows_commands_to_hide_files()
|
||||
return linux_cmds, windows_cmds
|
||||
|
||||
|
||||
def get_commands_to_hide_folders():
|
||||
linux_cmds = get_linux_commands_to_hide_folders()
|
||||
windows_cmds = get_windows_commands_to_hide_folders()
|
||||
return linux_cmds, windows_cmds
|
||||
|
||||
|
||||
def cleanup_hidden_files(is_windows=is_windows_os()):
|
||||
subprocess.run(get_windows_commands_to_delete() if is_windows # noqa: DUO116
|
||||
else ' '.join(get_linux_commands_to_delete()),
|
||||
shell=True)
|
|
@ -0,0 +1,34 @@
|
|||
HIDDEN_FILE = '$HOME/.monkey-hidden-file'
|
||||
HIDDEN_FOLDER = '$HOME/.monkey-hidden-folder'
|
||||
|
||||
|
||||
def get_linux_commands_to_hide_files():
|
||||
return [
|
||||
'touch', # create file
|
||||
HIDDEN_FILE,
|
||||
'&&'
|
||||
'echo \"Successfully created hidden file: {}\" |'.format(HIDDEN_FILE), # output
|
||||
'tee -a', # and write to file
|
||||
HIDDEN_FILE
|
||||
]
|
||||
|
||||
|
||||
def get_linux_commands_to_hide_folders():
|
||||
return [
|
||||
'mkdir', # make directory
|
||||
HIDDEN_FOLDER,
|
||||
'&& touch', # create file
|
||||
'{}/{}'.format(HIDDEN_FOLDER, 'some-file'), # random file in hidden folder
|
||||
'&& echo \"Successfully created hidden folder: {}\" |'.format(HIDDEN_FOLDER), # output
|
||||
'tee -a', # and write to file
|
||||
'{}/{}'.format(HIDDEN_FOLDER, 'some-file') # random file in hidden folder
|
||||
]
|
||||
|
||||
|
||||
def get_linux_commands_to_delete():
|
||||
return [
|
||||
'rm', # remove
|
||||
'-rf', # force delete recursively
|
||||
HIDDEN_FILE,
|
||||
HIDDEN_FOLDER
|
||||
]
|
|
@ -0,0 +1,81 @@
|
|||
import os
|
||||
|
||||
|
||||
HOME_PATH = os.path.expanduser("~")
|
||||
|
||||
HIDDEN_FILE = HOME_PATH + "\\monkey-hidden-file"
|
||||
HIDDEN_FOLDER = HOME_PATH + "\\monkey-hidden-folder"
|
||||
HIDDEN_FILE_WINAPI = HOME_PATH + "\\monkey-hidden-file-winAPI"
|
||||
|
||||
|
||||
def get_windows_commands_to_hide_files():
|
||||
return [
|
||||
'echo',
|
||||
'Successfully created hidden file: {}'.format(HIDDEN_FILE), # create empty file
|
||||
'>',
|
||||
HIDDEN_FILE,
|
||||
'&&',
|
||||
'attrib', # change file attributes
|
||||
'+h', # hidden attribute
|
||||
'+s', # system attribute
|
||||
HIDDEN_FILE,
|
||||
'&&',
|
||||
'type',
|
||||
HIDDEN_FILE
|
||||
]
|
||||
|
||||
|
||||
def get_windows_commands_to_hide_folders():
|
||||
return [
|
||||
'mkdir',
|
||||
HIDDEN_FOLDER, # make directory
|
||||
'&&',
|
||||
'attrib',
|
||||
'+h', # hidden attribute
|
||||
'+s', # system attribute
|
||||
HIDDEN_FOLDER, # change file attributes
|
||||
'&&',
|
||||
'echo',
|
||||
'Successfully created hidden folder: {}'.format(HIDDEN_FOLDER),
|
||||
'>',
|
||||
'{}\\{}'.format(HIDDEN_FOLDER, 'some-file'),
|
||||
'&&',
|
||||
'type',
|
||||
'{}\\{}'.format(HIDDEN_FOLDER, 'some-file')
|
||||
]
|
||||
|
||||
|
||||
def get_winAPI_to_hide_files():
|
||||
import win32file
|
||||
try:
|
||||
fileAccess = win32file.GENERIC_READ | win32file.GENERIC_WRITE # read-write access
|
||||
fileCreation = win32file.CREATE_ALWAYS # overwrite existing file
|
||||
fileFlags = win32file.FILE_ATTRIBUTE_HIDDEN # make hidden
|
||||
|
||||
hiddenFile = win32file.CreateFile(HIDDEN_FILE_WINAPI,
|
||||
fileAccess,
|
||||
0, # sharing mode: 0 => can't be shared
|
||||
None, # security attributes
|
||||
fileCreation,
|
||||
fileFlags,
|
||||
0) # template file
|
||||
|
||||
return "Succesfully created hidden file: {}".format(HIDDEN_FILE_WINAPI), True
|
||||
except Exception as err:
|
||||
return str(err), False
|
||||
|
||||
|
||||
def get_windows_commands_to_delete():
|
||||
return [
|
||||
'powershell.exe',
|
||||
'del', # delete file
|
||||
'-Force',
|
||||
HIDDEN_FILE,
|
||||
',',
|
||||
HIDDEN_FILE_WINAPI,
|
||||
';',
|
||||
'rmdir', # delete folder
|
||||
'-Force',
|
||||
'-Recurse',
|
||||
HIDDEN_FOLDER
|
||||
]
|
|
@ -4,7 +4,7 @@ from monkey_island.cc.models import Monkey
|
|||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
|
||||
from monkey_island.cc.services.attack.technique_reports import T1136
|
||||
from monkey_island.cc.services.attack.technique_reports import T1136, T1156, T1504, T1158
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report
|
||||
|
@ -37,7 +37,10 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1016': T1016.T1016,
|
||||
'T1021': T1021.T1021,
|
||||
'T1064': T1064.T1064,
|
||||
'T1136': T1136.T1136
|
||||
'T1136': T1136.T1136,
|
||||
'T1156': T1156.T1156,
|
||||
'T1504': T1504.T1504,
|
||||
'T1158': T1158.T1158
|
||||
}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
|
|
@ -71,6 +71,16 @@ SCHEMA = {
|
|||
"type": "object",
|
||||
"link": "https://attack.mitre.org/tactics/TA0003/",
|
||||
"properties": {
|
||||
"T1156": {
|
||||
"title": ".bash_profile and .bashrc",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1156",
|
||||
"description": "Adversaries may abuse shell scripts by "
|
||||
"inserting arbitrary shell commands to gain persistence, which "
|
||||
"would be executed every time the user logs in or opens a new shell."
|
||||
},
|
||||
"T1136": {
|
||||
"title": "Create account",
|
||||
"type": "bool",
|
||||
|
@ -79,6 +89,26 @@ SCHEMA = {
|
|||
"link": "https://attack.mitre.org/techniques/T1136",
|
||||
"description": "Adversaries with a sufficient level of access "
|
||||
"may create a local system, domain, or cloud tenant account."
|
||||
},
|
||||
"T1158": {
|
||||
"title": "Hidden files and directories",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1158",
|
||||
"description": "Adversaries can hide files and folders on the system "
|
||||
"and evade a typical user or system analysis that does not "
|
||||
"incorporate investigation of hidden files."
|
||||
},
|
||||
"T1504": {
|
||||
"title": "PowerShell profile",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1504",
|
||||
"description": "Adversaries may gain persistence and elevate privileges "
|
||||
"in certain situations by abusing PowerShell profiles which "
|
||||
"are scripts that run when PowerShell starts."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1156(AttackTechnique):
|
||||
tech_id = "T1156"
|
||||
unscanned_msg = "Monkey did not try modifying bash startup files on the system."
|
||||
scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
|
||||
used_msg = "Monkey modified bash startup files on the system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
'data.command': {'$regex': 'bash'}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1156.technique_title(), 'info': []}
|
||||
|
||||
bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
|
||||
|
||||
status = []
|
||||
for pba_node in bash_modification_info:
|
||||
status.append(pba_node['result'][1])
|
||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
||||
if status else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1156.get_base_data_by_status(status))
|
||||
data.update({'info': bash_modification_info})
|
||||
return data
|
|
@ -0,0 +1,37 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_HIDDEN_FILES
|
||||
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1158(AttackTechnique):
|
||||
tech_id = "T1158"
|
||||
unscanned_msg = "Monkey did not try creating hidden files or folders."
|
||||
scanned_msg = "Monkey tried creating hidden files and folders on the system but failed."
|
||||
used_msg = "Monkey created hidden files and folders on the system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_HIDDEN_FILES}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1158.technique_title(), 'info': []}
|
||||
|
||||
hidden_file_info = list(mongo.db.telemetry.aggregate(T1158.query))
|
||||
|
||||
status = []
|
||||
for pba_node in hidden_file_info:
|
||||
status.append(pba_node['result'][1])
|
||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
||||
if status else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1158.get_base_data_by_status(status))
|
||||
data.update({'info': hidden_file_info})
|
||||
return data
|
|
@ -0,0 +1,38 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
|
||||
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1504(AttackTechnique):
|
||||
tech_id = "T1504"
|
||||
unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
|
||||
scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
|
||||
used_msg = "Monkey modified powershell startup files on the system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
|
||||
'data.command': {'$regex': 'powershell'}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1504.technique_title(), 'info': []}
|
||||
|
||||
powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
|
||||
|
||||
status = []
|
||||
for pba_node in powershell_profile_modification_info:
|
||||
status.append(pba_node['result'][1])
|
||||
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
|
||||
if status else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1504.get_base_data_by_status(status))
|
||||
data.update({'info': powershell_profile_modification_info})
|
||||
return data
|
|
@ -160,6 +160,22 @@ SCHEMA = {
|
|||
"title": "Communicate as new user",
|
||||
"attack_techniques": ["T1136"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"ModifyShellStartupFiles"
|
||||
],
|
||||
"title": "Modify shell startup files",
|
||||
"attack_techniques": ["T1156", "T1504"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"HiddenFiles"
|
||||
],
|
||||
"title": "Hidden files and directories",
|
||||
"attack_techniques": ["T1158"]
|
||||
}
|
||||
],
|
||||
},
|
||||
"finger_classes": {
|
||||
|
@ -379,7 +395,9 @@ SCHEMA = {
|
|||
},
|
||||
"default": [
|
||||
"BackdoorUser",
|
||||
"CommunicateAsNewUser"
|
||||
"CommunicateAsNewUser",
|
||||
"ModifyShellStartupFiles",
|
||||
"HiddenFiles"
|
||||
],
|
||||
"description": "List of actions the Monkey will run post breach"
|
||||
},
|
||||
|
|
|
@ -53,7 +53,7 @@
|
|||
"react/jsx-uses-react": 1,
|
||||
"react/jsx-uses-vars": 1,
|
||||
"react/jsx-key": 1,
|
||||
"react/prop-types": 1,
|
||||
"react/prop-types": 0,
|
||||
"react/no-unescaped-entities": 1,
|
||||
"react/no-unknown-property": [1, { "ignore": ["class"] }],
|
||||
"react/no-string-refs": 1,
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
import React from 'react';
|
||||
import ReactTable from 'react-table';
|
||||
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
|
||||
import MitigationsComponent from './MitigationsComponent';
|
||||
|
||||
class T1156 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{ Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: {'whiteSpace': 'unset'}},
|
||||
{ Header: 'Result',
|
||||
id: 'result',
|
||||
accessor: x => x.result,
|
||||
style: {'whiteSpace': 'unset'}}
|
||||
]
|
||||
}])
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1156.getColumns()}
|
||||
data={this.props.data.info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.info.length}
|
||||
/> : ''}
|
||||
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1156;
|
|
@ -0,0 +1,45 @@
|
|||
import React from 'react';
|
||||
import ReactTable from 'react-table';
|
||||
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
|
||||
import MitigationsComponent from './MitigationsComponent';
|
||||
|
||||
class T1158 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{ Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: {'whiteSpace': 'unset'}},
|
||||
{ Header: 'Result',
|
||||
id: 'result',
|
||||
accessor: x => x.result,
|
||||
style: {'whiteSpace': 'unset'}}
|
||||
]
|
||||
}])
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1158.getColumns()}
|
||||
data={this.props.data.info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.info.length}
|
||||
/> : ''}
|
||||
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1158;
|
|
@ -0,0 +1,45 @@
|
|||
import React from 'react';
|
||||
import ReactTable from 'react-table';
|
||||
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
|
||||
import MitigationsComponent from './MitigationsComponent';
|
||||
|
||||
class T1504 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{ Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: {'whiteSpace': 'unset'}},
|
||||
{ Header: 'Result',
|
||||
id: 'result',
|
||||
accessor: x => x.result,
|
||||
style: {'whiteSpace': 'unset'}}
|
||||
]
|
||||
}])
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1504.getColumns()}
|
||||
data={this.props.data.info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.info.length}
|
||||
/> : ''}
|
||||
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1504;
|
Loading…
Reference in New Issue