From 80266f537d7d6746b92592868b10e421c9657ef2 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 2 Apr 2019 09:30:41 +0300 Subject: [PATCH 1/4] Documented set_results method --- .../cc/services/attack/attack_telem.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 monkey/monkey_island/cc/services/attack/attack_telem.py diff --git a/monkey/monkey_island/cc/services/attack/attack_telem.py b/monkey/monkey_island/cc/services/attack/attack_telem.py new file mode 100644 index 000000000..295100c23 --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/attack_telem.py @@ -0,0 +1,19 @@ +""" +File that contains ATT&CK telemetry storing/retrieving logic +""" +import logging +from cc.database import mongo + +__author__ = "VakarisZ" + +logger = logging.getLogger(__name__) + + +def set_results(technique, data): + """ + Adds ATT&CK technique results(telemetry) to the database + :param technique: technique ID string e.g. T1110 + :param data: Data, relevant to the technique + """ + data.update({'technique': technique}) + mongo.db.attack_results.insert(data) From 2e2b77226dc7a40627fcc99fa6ae36f1af15ac44 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 2 Apr 2019 09:58:46 +0300 Subject: [PATCH 2/4] Added reverted telemetry files --- monkey/infection_monkey/monkey.py | 4 ++ .../transport/attack_telems/__init__.py | 1 + .../transport/attack_telems/base_telem.py | 51 +++++++++++++++++++ .../attack_telems/victim_host_telem.py | 21 ++++++++ monkey/monkey_island/cc/app.py | 2 + .../cc/resources/attack_telem.py | 24 +++++++++ .../cc/services/attack/__init__.py | 1 + 7 files changed, 104 insertions(+) create mode 100644 monkey/infection_monkey/transport/attack_telems/__init__.py create mode 100644 monkey/infection_monkey/transport/attack_telems/base_telem.py create mode 100644 monkey/infection_monkey/transport/attack_telems/victim_host_telem.py create mode 100644 monkey/monkey_island/cc/resources/attack_telem.py create mode 100644 monkey/monkey_island/cc/services/attack/__init__.py diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index e80e15396..4d5d8f016 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -17,6 +17,8 @@ from infection_monkey.system_info import SystemInfoCollector from infection_monkey.system_singleton import SystemSingleton from infection_monkey.windows_upgrader import WindowsUpgrader from infection_monkey.post_breach.post_breach_handler import PostBreach +from infection_monkey.transport.attack_telems.base_telem import ScanStatus +from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem __author__ = 'itamar' @@ -179,9 +181,11 @@ class InfectionMonkey(object): for exploiter in [exploiter(machine) for exploiter in self._exploiters]: if self.try_exploiting(machine, exploiter): host_exploited = True + VictimHostTelem('T1210', ScanStatus.USED.value, machine=machine).send() break if not host_exploited: self._fail_exploitation_machines.add(machine) + VictimHostTelem('T1210', ScanStatus.SCANNED.value, machine=machine).send() if not self._keep_running: break diff --git a/monkey/infection_monkey/transport/attack_telems/__init__.py b/monkey/infection_monkey/transport/attack_telems/__init__.py new file mode 100644 index 000000000..98867ed4d --- /dev/null +++ b/monkey/infection_monkey/transport/attack_telems/__init__.py @@ -0,0 +1 @@ +__author__ = 'VakarisZ' diff --git a/monkey/infection_monkey/transport/attack_telems/base_telem.py b/monkey/infection_monkey/transport/attack_telems/base_telem.py new file mode 100644 index 000000000..054927a0d --- /dev/null +++ b/monkey/infection_monkey/transport/attack_telems/base_telem.py @@ -0,0 +1,51 @@ +from enum import Enum +from infection_monkey.config import WormConfiguration, GUID +import requests +import json +from infection_monkey.control import ControlClient +import logging + +__author__ = "VakarisZ" + +LOG = logging.getLogger(__name__) + + +class ScanStatus(Enum): + # Technique wasn't scanned + UNSCANNED = 0 + # Technique was attempted/scanned + SCANNED = 1 + # Technique was attempted and succeeded + USED = 2 + + +class AttackTelem(object): + + def __init__(self, technique, status, data=None): + """ + Default ATT&CK telemetry constructor + :param technique: Technique ID. E.g. T111 + :param status: int from ScanStatus Enum + :param data: Other data relevant to the attack technique + """ + self.technique = technique + self.result = status + self.data = {'status': status, 'id': GUID} + if data: + self.data.update(data) + + def send(self): + """ + Sends telemetry to island + """ + if not WormConfiguration.current_server: + return + try: + requests.post("https://%s/api/attack/%s" % (WormConfiguration.current_server, self.technique), + data=json.dumps(self.data), + headers={'content-type': 'application/json'}, + verify=False, + proxies=ControlClient.proxies) + except Exception as exc: + LOG.warn("Error connecting to control server %s: %s", + WormConfiguration.current_server, exc) diff --git a/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py b/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py new file mode 100644 index 000000000..0782c2dfd --- /dev/null +++ b/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py @@ -0,0 +1,21 @@ +from infection_monkey.transport.attack_telems.base_telem import AttackTelem + +__author__ = "VakarisZ" + + +class VictimHostTelem(AttackTelem): + + def __init__(self, technique, status, machine, data=None): + """ + ATT&CK telemetry that parses and sends VictimHost's (remote machine's) data + :param technique: Technique ID. E.g. T111 + :param status: int from ScanStatus Enum + :param machine: VictimHost obj from model/host.py + :param data: Other data relevant to the attack technique + """ + super(VictimHostTelem, self).__init__(technique, status, data) + victim_host = {'hostname': machine.domain_name, 'ip': machine.ip_addr} + if data: + self.data.update(data) + if machine: + self.data.update({'machine': victim_host}) diff --git a/monkey/monkey_island/cc/app.py b/monkey/monkey_island/cc/app.py index d43930206..e8238185e 100644 --- a/monkey/monkey_island/cc/app.py +++ b/monkey/monkey_island/cc/app.py @@ -30,6 +30,7 @@ from cc.resources.telemetry_feed import TelemetryFeed from cc.resources.pba_file_download import PBAFileDownload from cc.services.config import ConfigService from cc.resources.pba_file_upload import FileUpload +from cc.resources.attack_telem import AttackTelem __author__ = 'Barak' @@ -123,5 +124,6 @@ def init_app(mongo_url): '/api/fileUpload/?load=', '/api/fileUpload/?restore=') api.add_resource(RemoteRun, '/api/remote-monkey', '/api/remote-monkey/') + api.add_resource(AttackTelem, '/api/attack/') return app diff --git a/monkey/monkey_island/cc/resources/attack_telem.py b/monkey/monkey_island/cc/resources/attack_telem.py new file mode 100644 index 000000000..0dfa013e8 --- /dev/null +++ b/monkey/monkey_island/cc/resources/attack_telem.py @@ -0,0 +1,24 @@ +import flask_restful +from flask import request +import json +from cc.services.attack.attack_telem import set_results +import logging + +__author__ = 'VakarisZ' + +LOG = logging.getLogger(__name__) + + +class AttackTelem(flask_restful.Resource): + """ + ATT&CK endpoint used to retrieve matrix related info from monkey + """ + + def post(self, technique): + """ + Gets ATT&CK telemetry data and stores it in the database + :param technique: Technique ID, e.g. T1111 + """ + data = json.loads(request.data) + set_results(technique, data) + return {} diff --git a/monkey/monkey_island/cc/services/attack/__init__.py b/monkey/monkey_island/cc/services/attack/__init__.py new file mode 100644 index 000000000..98867ed4d --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/__init__.py @@ -0,0 +1 @@ +__author__ = 'VakarisZ' From 77b14177c5f215580f80be9c453b6248b7a5f5be Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 2 Apr 2019 11:08:56 +0300 Subject: [PATCH 3/4] Moved attack scan status enum to common --- monkey/common/utils/attack_status_enum.py | 10 ++++++++++ monkey/infection_monkey/monkey.py | 2 +- .../transport/attack_telems/base_telem.py | 10 ---------- 3 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 monkey/common/utils/attack_status_enum.py diff --git a/monkey/common/utils/attack_status_enum.py b/monkey/common/utils/attack_status_enum.py new file mode 100644 index 000000000..c7d2dc62c --- /dev/null +++ b/monkey/common/utils/attack_status_enum.py @@ -0,0 +1,10 @@ +from enum import Enum + + +class ScanStatus(Enum): + # Technique wasn't scanned + UNSCANNED = 0 + # Technique was attempted/scanned + SCANNED = 1 + # Technique was attempted and succeeded + USED = 2 diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 4d5d8f016..841a5521d 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -17,7 +17,7 @@ from infection_monkey.system_info import SystemInfoCollector from infection_monkey.system_singleton import SystemSingleton from infection_monkey.windows_upgrader import WindowsUpgrader from infection_monkey.post_breach.post_breach_handler import PostBreach -from infection_monkey.transport.attack_telems.base_telem import ScanStatus +from common.utils.attack_status_enum import ScanStatus from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem __author__ = 'itamar' diff --git a/monkey/infection_monkey/transport/attack_telems/base_telem.py b/monkey/infection_monkey/transport/attack_telems/base_telem.py index 054927a0d..9d0275356 100644 --- a/monkey/infection_monkey/transport/attack_telems/base_telem.py +++ b/monkey/infection_monkey/transport/attack_telems/base_telem.py @@ -1,4 +1,3 @@ -from enum import Enum from infection_monkey.config import WormConfiguration, GUID import requests import json @@ -10,15 +9,6 @@ __author__ = "VakarisZ" LOG = logging.getLogger(__name__) -class ScanStatus(Enum): - # Technique wasn't scanned - UNSCANNED = 0 - # Technique was attempted/scanned - SCANNED = 1 - # Technique was attempted and succeeded - USED = 2 - - class AttackTelem(object): def __init__(self, technique, status, data=None): From 4ee8b650c8c7c738d630819b4196e3881a5848b3 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Tue, 2 Apr 2019 14:54:20 +0300 Subject: [PATCH 4/4] Removed redundant code in VictimHostTelem --- .../transport/attack_telems/victim_host_telem.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py b/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py index 0782c2dfd..ecab5a648 100644 --- a/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py +++ b/monkey/infection_monkey/transport/attack_telems/victim_host_telem.py @@ -15,7 +15,4 @@ class VictimHostTelem(AttackTelem): """ super(VictimHostTelem, self).__init__(technique, status, data) victim_host = {'hostname': machine.domain_name, 'ip': machine.ip_addr} - if data: - self.data.update(data) - if machine: - self.data.update({'machine': victim_host}) + self.data.update({'machine': victim_host})