forked from p34709852/monkey
Change logic for checking technique status
This commit is contained in:
parent
76aae1faec
commit
98ef46b4ec
|
@ -19,10 +19,15 @@ class T1003(AttackTechnique):
|
|||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1003.technique_title()}
|
||||
if mongo.db.telemetry.count_documents(T1003.query):
|
||||
status = ScanStatus.USED.value
|
||||
|
||||
if not T1003.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if mongo.db.telemetry.count_documents(T1003.query):
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1003.get_message_and_status(status))
|
||||
data.update(T1003.get_mitigation_by_status(status))
|
||||
data['stolen_creds'] = ReportService.get_stolen_creds()
|
||||
|
|
|
@ -27,8 +27,14 @@ class T1016(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
network_info = list(mongo.db.telemetry.aggregate(T1016.query))
|
||||
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
|
||||
network_info = []
|
||||
|
||||
if not T1016.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
network_info = list(mongo.db.telemetry.aggregate(T1016.query))
|
||||
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1016.get_base_data_by_status(status)
|
||||
data.update({'network_info': network_info})
|
||||
return data
|
||||
|
|
|
@ -28,11 +28,17 @@ class T1018(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
scan_info = list(mongo.db.telemetry.aggregate(T1018.query))
|
||||
if scan_info:
|
||||
status = ScanStatus.USED.value
|
||||
scan_info = []
|
||||
|
||||
if not T1018.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
scan_info = list(mongo.db.telemetry.aggregate(T1018.query))
|
||||
if scan_info:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1018.get_base_data_by_status(status)
|
||||
data.update({'scan_info': scan_info})
|
||||
return data
|
||||
|
|
|
@ -34,18 +34,23 @@ class T1021(AttackTechnique):
|
|||
@staticmethod
|
||||
def get_report_data():
|
||||
attempts = []
|
||||
if mongo.db.telemetry.count_documents(T1021.scanned_query):
|
||||
attempts = list(mongo.db.telemetry.aggregate(T1021.query))
|
||||
if attempts:
|
||||
status = ScanStatus.USED.value
|
||||
for result in attempts:
|
||||
result['successful_creds'] = []
|
||||
for attempt in result['attempts']:
|
||||
result['successful_creds'].append(parse_creds(attempt))
|
||||
else:
|
||||
status = ScanStatus.SCANNED.value
|
||||
|
||||
if not T1021.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if mongo.db.telemetry.count_documents(T1021.scanned_query):
|
||||
attempts = list(mongo.db.telemetry.aggregate(T1021.query))
|
||||
if attempts:
|
||||
status = ScanStatus.USED.value
|
||||
for result in attempts:
|
||||
result['successful_creds'] = []
|
||||
for attempt in result['attempts']:
|
||||
result['successful_creds'].append(parse_creds(attempt))
|
||||
else:
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1021.get_base_data_by_status(status)
|
||||
data.update({'services': attempts})
|
||||
return data
|
||||
|
|
|
@ -13,14 +13,20 @@ class T1041(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
monkeys = list(Monkey.objects())
|
||||
info = [{'src': monkey['command_control_channel']['src'],
|
||||
'dst': monkey['command_control_channel']['dst']}
|
||||
for monkey in monkeys if monkey['command_control_channel']]
|
||||
if info:
|
||||
status = ScanStatus.USED.value
|
||||
info = []
|
||||
|
||||
if not T1041.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
monkeys = list(Monkey.objects())
|
||||
info = [{'src': monkey['command_control_channel']['src'],
|
||||
'dst': monkey['command_control_channel']['dst']}
|
||||
for monkey in monkeys if monkey['command_control_channel']]
|
||||
if info:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1041.get_base_data_by_status(status)
|
||||
data.update({'command_control_channel': info})
|
||||
return data
|
||||
|
|
|
@ -23,12 +23,16 @@ class T1059(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
||||
data = {'title': T1059.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED.value
|
||||
if not T1059.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
|
||||
data = {'title': T1059.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1059.get_message_and_status(status))
|
||||
data.update(T1059.get_mitigation_by_status(status))
|
||||
return data
|
||||
|
|
|
@ -31,14 +31,19 @@ class T1075(AttackTechnique):
|
|||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1075.technique_title()}
|
||||
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
|
||||
data.update({'successful_logins': successful_logins})
|
||||
if successful_logins:
|
||||
status = ScanStatus.USED.value
|
||||
elif mongo.db.telemetry.count_documents(T1075.login_attempt_query):
|
||||
status = ScanStatus.SCANNED.value
|
||||
|
||||
if not T1075.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
|
||||
data.update({'successful_logins': successful_logins})
|
||||
if successful_logins:
|
||||
status = ScanStatus.USED.value
|
||||
elif mongo.db.telemetry.count_documents(T1075.login_attempt_query):
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1075.get_message_and_status(status))
|
||||
data.update(T1075.get_mitigation_by_status(status))
|
||||
return data
|
||||
|
|
|
@ -39,12 +39,17 @@ class T1082(AttackTechnique):
|
|||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1082.technique_title()}
|
||||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||
data.update({'system_info': system_info})
|
||||
if system_info:
|
||||
status = ScanStatus.USED.value
|
||||
|
||||
if not T1082.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
system_info = list(mongo.db.telemetry.aggregate(T1082.query))
|
||||
data.update({'system_info': system_info})
|
||||
if system_info:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1082.get_mitigation_by_status(status))
|
||||
data.update(T1082.get_message_and_status(status))
|
||||
return data
|
||||
|
|
|
@ -25,12 +25,15 @@ class T1086(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
|
||||
data = {'title': T1086.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED.value
|
||||
if not T1086.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
|
||||
data = {'title': T1086.technique_title(), 'cmds': cmd_data}
|
||||
if cmd_data:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1086.get_mitigation_by_status(status))
|
||||
data.update(T1086.get_message_and_status(status))
|
||||
|
|
|
@ -13,9 +13,15 @@ class T1090(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
monkeys = Monkey.get_tunneled_monkeys()
|
||||
monkeys = [monkey.get_network_info() for monkey in monkeys]
|
||||
status = ScanStatus.USED.value if monkeys else ScanStatus.UNSCANNED.value
|
||||
monkeys = []
|
||||
|
||||
if not T1090.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
monkeys = Monkey.get_tunneled_monkeys()
|
||||
monkeys = [monkey.get_network_info() for monkey in monkeys]
|
||||
status = ScanStatus.USED.value if monkeys else ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1090.get_base_data_by_status(status)
|
||||
data.update({'proxies': monkeys})
|
||||
return data
|
||||
|
|
|
@ -26,21 +26,27 @@ class T1110(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
attempts = list(mongo.db.telemetry.aggregate(T1110.query))
|
||||
succeeded = False
|
||||
attempts = []
|
||||
|
||||
for result in attempts:
|
||||
result['successful_creds'] = []
|
||||
for attempt in result['attempts']:
|
||||
succeeded = True
|
||||
result['successful_creds'].append(parse_creds(attempt))
|
||||
|
||||
if succeeded:
|
||||
status = ScanStatus.USED.value
|
||||
elif attempts:
|
||||
status = ScanStatus.SCANNED.value
|
||||
if not T1110.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
attempts = list(mongo.db.telemetry.aggregate(T1110.query))
|
||||
succeeded = False
|
||||
|
||||
for result in attempts:
|
||||
result['successful_creds'] = []
|
||||
for attempt in result['attempts']:
|
||||
succeeded = True
|
||||
result['successful_creds'].append(parse_creds(attempt))
|
||||
|
||||
if succeeded:
|
||||
status = ScanStatus.USED.value
|
||||
elif attempts:
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1110.get_base_data_by_status(status)
|
||||
# Remove data with no successful brute force attempts
|
||||
attempts = [attempt for attempt in attempts if attempt['attempts']]
|
||||
|
|
|
@ -20,12 +20,17 @@ class T1145(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
||||
ssh_info = []
|
||||
|
||||
if ssh_info:
|
||||
status = ScanStatus.USED.value
|
||||
if not T1145.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
|
||||
if ssh_info:
|
||||
status = ScanStatus.USED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1145.get_base_data_by_status(status)
|
||||
data.update({'ssh_info': ssh_info})
|
||||
return data
|
||||
|
|
|
@ -13,19 +13,25 @@ class T1188(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
monkeys = Monkey.get_tunneled_monkeys()
|
||||
hops = []
|
||||
for monkey in monkeys:
|
||||
proxy_count = 0
|
||||
proxy = initial = monkey
|
||||
while proxy.tunnel:
|
||||
proxy_count += 1
|
||||
proxy = proxy.tunnel
|
||||
if proxy_count > 1:
|
||||
hops.append({'from': initial.get_network_info(),
|
||||
'to': proxy.get_network_info(),
|
||||
'count': proxy_count})
|
||||
status = ScanStatus.USED.value if hops else ScanStatus.UNSCANNED.value
|
||||
|
||||
if not T1188.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
monkeys = Monkey.get_tunneled_monkeys()
|
||||
hops = []
|
||||
for monkey in monkeys:
|
||||
proxy_count = 0
|
||||
proxy = initial = monkey
|
||||
while proxy.tunnel:
|
||||
proxy_count += 1
|
||||
proxy = proxy.tunnel
|
||||
if proxy_count > 1:
|
||||
hops.append({'from': initial.get_network_info(),
|
||||
'to': proxy.get_network_info(),
|
||||
'count': proxy_count})
|
||||
status = ScanStatus.USED.value if hops else ScanStatus.UNSCANNED.value
|
||||
|
||||
data = T1188.get_base_data_by_status(status)
|
||||
data.update({'hops': hops})
|
||||
return data
|
||||
|
|
|
@ -13,15 +13,22 @@ class T1210(AttackTechnique):
|
|||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
scanned_services = []
|
||||
exploited_services = []
|
||||
data = {'title': T1210.technique_title()}
|
||||
scanned_services = T1210.get_scanned_services()
|
||||
exploited_services = T1210.get_exploited_services()
|
||||
if exploited_services:
|
||||
status = ScanStatus.USED.value
|
||||
elif scanned_services:
|
||||
status = ScanStatus.SCANNED.value
|
||||
|
||||
if not T1210.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
scanned_services = T1210.get_scanned_services()
|
||||
exploited_services = T1210.get_exploited_services()
|
||||
if exploited_services:
|
||||
status = ScanStatus.USED.value
|
||||
elif scanned_services:
|
||||
status = ScanStatus.SCANNED.value
|
||||
else:
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1210.get_message_and_status(status))
|
||||
data.update(T1210.get_mitigation_by_status(status))
|
||||
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})
|
||||
|
|
|
@ -63,7 +63,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
|||
Gets the status of a certain attack technique.
|
||||
:return: ScanStatus numeric value
|
||||
"""
|
||||
if cls._is_disabled_in_config():
|
||||
if not cls.is_enabled_in_config():
|
||||
return ScanStatus.DISABLED.value
|
||||
elif mongo.db.telemetry.find_one({'telem_category': 'attack',
|
||||
'data.status': ScanStatus.USED.value,
|
||||
|
@ -83,7 +83,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
|||
:param status: Enum from common/attack_utils.py integer value
|
||||
:return: Dict with message and status
|
||||
"""
|
||||
status = cls._check_status(status)
|
||||
return {'message': cls.get_message_by_status(status), 'status': status}
|
||||
|
||||
@classmethod
|
||||
|
@ -93,7 +92,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
|||
:param status: Enum from common/attack_utils.py integer value
|
||||
:return: message string
|
||||
"""
|
||||
status = cls._check_status(status)
|
||||
if status == ScanStatus.DISABLED.value:
|
||||
return disabled_msg
|
||||
if status == ScanStatus.UNSCANNED.value:
|
||||
|
@ -127,7 +125,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
|||
|
||||
@classmethod
|
||||
def get_base_data_by_status(cls, status):
|
||||
status = cls._check_status(status)
|
||||
data = cls.get_message_and_status(status)
|
||||
data.update({'title': cls.technique_title()})
|
||||
data.update(cls.get_mitigation_by_status(status))
|
||||
|
@ -135,7 +132,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
|||
|
||||
@classmethod
|
||||
def get_mitigation_by_status(cls, status: ScanStatus) -> dict:
|
||||
status = cls._check_status(status)
|
||||
if status == ScanStatus.USED.value:
|
||||
mitigation_document = AttackMitigations.get_mitigation_by_technique_id(str(cls.tech_id))
|
||||
return {'mitigations': mitigation_document.to_mongo().to_dict()['mitigations']}
|
||||
|
@ -143,11 +139,5 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
|
|||
return {}
|
||||
|
||||
@classmethod
|
||||
def _check_status(cls, status):
|
||||
if status == ScanStatus.UNSCANNED.value and not cls._is_enabled_in_config():
|
||||
return ScanStatus.DISABLED.value
|
||||
return status
|
||||
|
||||
@classmethod
|
||||
def _is_disabled_in_config(cls):
|
||||
return not AttackConfig.get_technique_values()[cls.tech_id]
|
||||
def is_enabled_in_config(cls) -> bool:
|
||||
return AttackConfig.get_technique_values()[cls.tech_id]
|
||||
|
|
|
@ -39,16 +39,19 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
:return: Technique's report data aggregated from the database
|
||||
"""
|
||||
data = {'title': cls.technique_title(), 'info': []}
|
||||
info = []
|
||||
|
||||
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
|
||||
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if info:
|
||||
successful_PBAs = mongo.db.telemetry.count({
|
||||
'$or': [{'data.name': pba_name} for pba_name in cls.pba_names],
|
||||
'data.result.1': True
|
||||
})
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
if not cls.is_enabled_in_config():
|
||||
status = ScanStatus.DISABLED.value
|
||||
else:
|
||||
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if info:
|
||||
successful_PBAs = mongo.db.telemetry.count({
|
||||
'$or': [{'data.name': pba_name} for pba_name in cls.pba_names],
|
||||
'data.result.1': True
|
||||
})
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
||||
data.update(cls.get_base_data_by_status(status))
|
||||
data.update({'info': info})
|
||||
|
|
Loading…
Reference in New Issue