T1210 implemented, T1197 started

2019-04-09 10:59:53 +03:00 · 2019-04-09 10:59:53 +03:00 · 993736a973
parent c3d717a6bf
commit 993736a973
19 changed files with 232 additions and 68 deletions
--- a/monkey/common/utils/attack_status_enum.py
+++ b/monkey/common/utils/attack_status_enum.py
@ -8,3 +8,6 @@ class ScanStatus(Enum):
    SCANNED = 1
    # Technique was attempted and succeeded
    USED = 2
+
+
+BITS_UPLOAD_STRING = "Bits job was used to upload monkey to a remote system."
--- a/monkey/infection_monkey/exploit/elasticgroovy.py
+++ b/monkey/infection_monkey/exploit/elasticgroovy.py
@ -11,6 +11,8 @@ from infection_monkey.exploit.web_rce import WebRCE
 from infection_monkey.model import WGET_HTTP_UPLOAD, RDP_CMDLINE_HTTP, CHECK_COMMAND, ID_STRING, CMD_PREFIX,\
    DOWNLOAD_TIMEOUT
 from infection_monkey.network.elasticfinger import ES_PORT, ES_SERVICE
+from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
+from common.utils.attack_utils import ScanStatus, BITS_UPLOAD_STRING

 import re

@ -58,6 +60,12 @@ class ElasticGroovyExploiter(WebRCE):
            return False
        return result[0]

+    def upload_monkey(self, url, commands=None):
+        result = super(ElasticGroovyExploiter, self).upload_monkey(url, commands)
+        if 'windows' in self.host.os['type'] and result:
+            VictimHostTelem("T1197", ScanStatus.USED.value, self.host, BITS_UPLOAD_STRING)
+        return result
+
    def get_results(self, response):
        """
        Extracts the result data from our attack
--- a/monkey/infection_monkey/exploit/rdpgrinder.py
+++ b/monkey/infection_monkey/exploit/rdpgrinder.py
@ -17,6 +17,8 @@ from infection_monkey.network.tools import check_tcp_port
 from infection_monkey.exploit.tools import build_monkey_commandline
 from infection_monkey.utils import utf_to_ascii
 from common.utils.exploit_enum import ExploitType
+from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
+from common.utils.attack_utils import ScanStatus, BITS_UPLOAD_STRING

 __author__ = 'hoffer'

@ -312,6 +314,7 @@ class RdpExploiter(HostExploiter):
                client_factory.done_event.wait()

                if client_factory.success:
+                    VictimHostTelem("T1197", ScanStatus.USED.value, self.host, BITS_UPLOAD_STRING)
                    exploited = True
                    self.report_login_attempt(True, user, password)
                    break
--- a/monkey/infection_monkey/exploit/web_rce.py
+++ b/monkey/infection_monkey/exploit/web_rce.py
@ -7,6 +7,8 @@ from infection_monkey.exploit import HostExploiter
 from infection_monkey.model import *
 from infection_monkey.exploit.tools import get_target_monkey, get_monkey_depth, build_monkey_commandline, HTTPTools
 from infection_monkey.network.tools import check_tcp_port, tcp_port_to_service
+from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem
+from common.utils.attack_utils import ScanStatus, BITS_UPLOAD_STRING

 __author__ = 'VakarisZ'

@ -307,6 +309,7 @@ class WebRCE(HostExploiter):
        if not isinstance(resp, bool) and POWERSHELL_NOT_FOUND in resp:
            LOG.info("Powershell not found in host. Using bitsadmin to download.")
            backup_command = RDP_CMDLINE_HTTP % {'monkey_path': dest_path, 'http_path': http_path}
+            VictimHostTelem("T1197", ScanStatus.USED.value, self.host, BITS_UPLOAD_STRING)
            resp = self.exploit(url, backup_command)
        return resp

--- a/monkey/infection_monkey/monkey.py
+++ b/monkey/infection_monkey/monkey.py
@ -17,8 +17,6 @@ from infection_monkey.system_info import SystemInfoCollector
 from infection_monkey.system_singleton import SystemSingleton
 from infection_monkey.windows_upgrader import WindowsUpgrader
 from infection_monkey.post_breach.post_breach_handler import PostBreach
-from common.utils.attack_status_enum import ScanStatus
-from infection_monkey.transport.attack_telems.victim_host_telem import VictimHostTelem

 __author__ = 'itamar'

@ -181,11 +179,9 @@ class InfectionMonkey(object):
                for exploiter in [exploiter(machine) for exploiter in self._exploiters]:
                    if self.try_exploiting(machine, exploiter):
                        host_exploited = True
-                        VictimHostTelem('T1210', ScanStatus.USED.value, machine=machine).send()
                        break
                if not host_exploited:
                    self._fail_exploitation_machines.add(machine)
-                    VictimHostTelem('T1210', ScanStatus.SCANNED.value, machine=machine).send()
                if not self._keep_running:
                    break

--- a/monkey/monkey_island/cc/resources/attack/init.py
+++ b/monkey/monkey_island/cc/resources/attack/init.py
--- a/monkey/monkey_island/cc/resources/attack/attack_config.py
+++ b/monkey/monkey_island/cc/resources/attack/attack_config.py
--- a/monkey/monkey_island/cc/resources/attack/attack_report.py
+++ b/monkey/monkey_island/cc/resources/attack/attack_report.py
@ -3,11 +3,11 @@ from flask import jsonify
 from cc.auth import jwt_required
 from cc.services.attack.attack_report import AttackReportService

-__author__ = "itay.mizeretz"
+__author__ = "VakarisZ"


 class AttackReport(flask_restful.Resource):

    @jwt_required()
    def get(self):
-        return jsonify(AttackReportService.get_report())
+        return jsonify(AttackReportService.get_latest_report()['techniques'])
--- a/monkey/monkey_island/cc/resources/attack/attack_telem.py
+++ b/monkey/monkey_island/cc/resources/attack/attack_telem.py
--- a/monkey/monkey_island/cc/resources/root.py
+++ b/monkey/monkey_island/cc/resources/root.py
@ -69,10 +69,12 @@ class Root(flask_restful.Resource):
        infection_done = NodeService.is_monkey_finished_running()
        if not infection_done:
            report_done = False
+            attack_report_done = False
        else:
            if is_any_exists:
                ReportService.get_report()
-                AttackReportService.get_report()
+                AttackReportService.get_latest_report()
            report_done = ReportService.is_report_generated()
            attack_report_done = AttackReportService.is_report_generated()
-        return dict(run_server=True, run_monkey=is_any_exists, infection_done=infection_done, report_done=report_done)
+        return dict(run_server=True, run_monkey=is_any_exists, infection_done=infection_done,
+                    report_done=report_done, attack_report_done=attack_report_done)
--- a/monkey/monkey_island/cc/services/attack/attack_report.py
+++ b/monkey/monkey_island/cc/services/attack/attack_report.py
@ -1,37 +1,58 @@
 import logging
 from cc.services.attack.technique_reports import T1210
 from cc.services.attack.attack_telem import get_latest_telem
+from cc.services.attack.attack_config import get_technique_values
 from cc.database import mongo

 __author__ = "VakarisZ"


-logger = logging.getLogger(__name__)
+LOG = logging.getLogger(__name__)

 TECHNIQUES = {'T1210': T1210}

+REPORT_NAME = 'new_report'
+
+
 class AttackReportService:
    def __init__(self):
        pass

    @staticmethod
    def generate_new_report():
-        report = {'techniques': {}, 'meta': {get_latest_telem()}}
-        for tech_id, value in
-        report.update({'T1210': T1210.get_report_data()})
-        report.update({''})
+        """
+        Generates new report based on telemetries, replaces old report in db with new one.
+        :return: Report object
+        """
+        report = {'techniques': {}, 'meta': get_latest_telem(), 'name': REPORT_NAME}
+        for tech_id, value in get_technique_values().items():
+            if value:
+                try:
+                    report['techniques'].update({tech_id: TECHNIQUES[tech_id].get_report_data()})
+                except KeyError as e:
+                    LOG.error("Attack technique does not have it's report component added "
+                              "to attack report service. %s" % e)
+        mongo.db.attack_report.replace_one({'name': REPORT_NAME}, report, upsert=True)
        return report

    @staticmethod
    def get_latest_report():
+        """
+        Gets latest report (by retrieving it from db or generating a new one).
+        :return: report dict.
+        """
        if AttackReportService.is_report_generated():
-            telem_time = get_latest_telem_time()
-            lates_report = mongo.db.attack_report.find_one({'name': 'new_report'})
-            if telem_time == lates_report['telem_time']:
-                return lates_report
+            telem_time = get_latest_telem()
+            latest_report = mongo.db.attack_report.find_one({'name': REPORT_NAME})
+            if telem_time and telem_time['timestamp'] == latest_report['meta']['timestamp']:
+                return latest_report
        return AttackReportService.generate_new_report()

    @staticmethod
    def is_report_generated():
+        """
+        Checks if report is generated
+        :return: True if report exists, False otherwise
+        """
        generated_report = mongo.db.attack_report.find_one({})
        return generated_report is not None
--- a/monkey/monkey_island/cc/services/attack/attack_telem.py
+++ b/monkey/monkey_island/cc/services/attack/attack_telem.py
@ -22,4 +22,4 @@ def set_results(technique, data):


 def get_latest_telem():
-    return mongo.db.attack_results.find({'name': 'latest'})
+    return mongo.db.attack_results.find_one({'name': 'latest'})
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1197.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1197.py
@ -0,0 +1,16 @@
+from monkey_island.cc.services.attack.technique_reports.technique_service import *
+from cc.services.report import ReportService
+
+__author__ = "VakarisZ"
+
+TECHNIQUE = "T1197"
+MESSAGES = {
+    'unscanned': "Monkey didn't try to use any bits jobs.",
+    'scanned': "Monkey tried to use bits jobs but failed.",
+    'used': "Monkey successfully used bits jobs at least once in the network."
+}
+
+
+def get_report_data():
+    data = get_tech_base_data(TECHNIQUE, MESSAGES)
+    return data
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1210.py
@ -1,27 +1,18 @@
-from monkey_island.cc.services.attack.technique_reports.technique_service import technique_status, technique_title
-from common.utils.attack_status_enum import ScanStatus
+from monkey_island.cc.services.attack.technique_reports.technique_service import *
 from cc.services.report import ReportService

 __author__ = "VakarisZ"

 TECHNIQUE = "T1210"
-UNSCANNED_MSG = "Monkey didn't scan any remote services. Maybe it didn't find any machines on the network?"
-SCANNED_MSG = "Monkey scanned for remote services on the network, but couldn't exploit any of them."
-USED_MSG = "Monkey scanned for remote services and exploited some on the network."
+MESSAGES = {
+    'unscanned': "Monkey didn't scan any remote services. Maybe it didn't find any machines on the network?",
+    'scanned': "Monkey scanned for remote services on the network, but couldn't exploit any of them.",
+    'used': "Monkey scanned for remote services and exploited some on the network."
+}


 def get_report_data():
-    data = {}
-    status = technique_status(TECHNIQUE)
-    title = technique_title(TECHNIQUE)
-    data.update({'status': status.name, 'title': title})
-    if status == ScanStatus.UNSCANNED:
-        data.update({'message': UNSCANNED_MSG})
-        return data
-    elif status == ScanStatus.SCANNED:
-        data.update({'message': SCANNED_MSG})
-    else:
-        data.update({'message': USED_MSG})
+    data = get_tech_base_data(TECHNIQUE, MESSAGES)
    data.update({'scanned_machines': ReportService.get_scanned()})
    data.update({'exploited_machines': ReportService.get_exploited()})
    return data
--- a/monkey/monkey_island/cc/services/attack/technique_reports/technique_service.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/technique_service.py
@ -1,5 +1,5 @@
 from cc.database import mongo
-from common.utils.attack_status_enum import ScanStatus
+from common.utils.attack_utils import ScanStatus
 from cc.services.attack.attack_config import get_technique

 __author__ = "VakarisZ"
@ -16,3 +16,17 @@ def technique_status(technique):

 def technique_title(technique):
    return get_technique(technique)['title']
+
+
+def get_tech_base_data(technique, messages):
+    data = {}
+    status = technique_status(technique)
+    title = technique_title(technique)
+    data.update({'status': status.name, 'title': title})
+    if status == ScanStatus.UNSCANNED:
+        data.update({'message': messages['unscanned']})
+    elif status == ScanStatus.SCANNED:
+        data.update({'message': messages['scanned']})
+    else:
+        data.update({'message': messages['used']})
+    return data
--- a/monkey/monkey_island/cc/ui/src/components/attack/T1197.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/T1197.js
@ -0,0 +1,63 @@
+import React from 'react';
+import '../../styles/Collapse.scss'
+import {Link} from "react-router-dom";
+
+let renderArray = function(val) {
+  return <span>{val.map(x => <span key={x.toString()}>{x} </span>)}</span>;
+};
+
+
+let renderMachine = function (val, index, exploited=false) {
+  return (
+    <div key={index}>
+      {renderArray(val.ip_addresses)}
+      {(val.domain_name ? " (".concat(val.domain_name, ")") : " (".concat(val.label, ")"))} :
+      {exploited ? renderArray(val.exploits) : renderArray(val.services)}
+    </div>
+  )
+};
+
+class T1210 extends React.Component {
+
+  renderScannedMachines = (machines) => {
+    let content = [];
+    for (let i = 0; i < machines.length; i++ ){
+      if (machines[i].services.length !== 0){
+        content.push(renderMachine(machines[i], i))
+      }
+    }
+    return <div>{content}</div>;
+  };
+
+  renderExploitedMachines = (machines) => {
+    let content = [];
+    for (let i = 0; i < machines.length; i++ ){
+      if (machines[i].exploits.length !== 0){
+        content.push(renderMachine(machines[i], i, true))
+      }
+    }
+    return <div>{content}</div>;
+  };
+
+  constructor(props) {
+    super(props);
+  }
+
+  render() {
+    console.log(this.props);
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <div>Found services: </div>
+        {this.renderScannedMachines(this.props.data.scanned_machines)}
+        <div>Successful exploiters:</div>
+        {this.renderExploitedMachines(this.props.data.exploited_machines)}
+        <div className="attack-report footer-text">
+          To get more info about scanned and exploited machines view <Link to="/report">standard report.</Link>
+        </div>
+      </div>
+    );
+  }
+}
+
+export default T1210;
--- a/monkey/monkey_island/cc/ui/src/components/attack/T1210.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/T1210.js
@ -1,30 +1,61 @@
 import React from 'react';
-import ReactTable from 'react-table'
 import '../../styles/Collapse.scss'
-import Collapse from '@kunukn/react-collapse';
+import {Link} from "react-router-dom";

 let renderArray = function(val) {
-  return <div>{val.map(x => <div>{x}</div>)}</div>;
+  return <span>{val.map(x => <span key={x.toString()}>{x} </span>)}</span>;
 };

-let renderIpAddresses = function (val) {
-  return <div>{renderArray(val.ip_addresses)} {(val.domain_name ? " (".concat(val.domain_name, ")") : "")} </div>;
+
+let renderMachine = function (val, index, exploited=false) {
+  return (
+    <div key={index}>
+      {renderArray(val.ip_addresses)}
+      {(val.domain_name ? " (".concat(val.domain_name, ")") : " (".concat(val.label, ")"))} :
+      {exploited ? renderArray(val.exploits) : renderArray(val.services)}
+    </div>
+  )
 };

-const columns = [
-];
-
-const pageSize = 10;
-
 class T1210 extends React.Component {
+
+  renderScannedMachines = (machines) => {
+    let content = [];
+    for (let i = 0; i < machines.length; i++ ){
+      if (machines[i].services.length !== 0){
+        content.push(renderMachine(machines[i], i))
+      }
+    }
+    return <div>{content}</div>;
+  };
+
+  renderExploitedMachines = (machines) => {
+    let content = [];
+    for (let i = 0; i < machines.length; i++ ){
+      if (machines[i].exploits.length !== 0){
+        content.push(renderMachine(machines[i], i, true))
+      }
+    }
+    return <div>{content}</div>;
+  };
+
  constructor(props) {
    super(props);
  }
+
  render() {
+    console.log(this.props);
    return (
-      <Collapse isOpen={true || false}>
+      <div>
        <div>{this.props.data.message}</div>
-      </Collapse>
+        <div>Found services: </div>
+        {this.renderScannedMachines(this.props.data.scanned_machines)}
+        <div>Successful exploiters:</div>
+        {this.renderExploitedMachines(this.props.data.exploited_machines)}
+        <div className="attack-report footer-text">
+          To get more info about scanned and exploited machines view <Link to="/report">standard report.</Link>
+        </div>
+      </div>
    );
  }
 }
--- a/monkey/monkey_island/cc/ui/src/components/pages/AttackReportPage.js
+++ b/monkey/monkey_island/cc/ui/src/components/pages/AttackReportPage.js
@ -18,7 +18,7 @@ class AttackReportPageComponent extends AuthComponent {
  constructor(props) {
    super(props);
    this.state = {
-      report: {},
+      report: false,
      allMonkeysAreDead: false,
      runStarted: true,
      index: 1
@ -105,27 +105,8 @@ class AttackReportPageComponent extends AuthComponent {
    Object.keys(this.state.report).forEach((tech_id) => {
      content = this.getTechniqueCollapse(tech_id)
    });
-    return <section className="app">{content}</section>
-  }
-
-  render() {
-    let content;
-    if (Object.keys(this.state.report).length === 0) {
-      if (this.state.runStarted) {
-        content = (<h1>Generating Report...</h1>);
-      } else {
-        content =
-          <p className="alert alert-warning">
-            <i className="glyphicon glyphicon-warning-sign" style={{'marginRight': '5px'}}/>
-            You have to run a monkey before generating a report!
-          </p>;
-      }
-    } else {
-      content = this.generateReportContent();
-    }
    return (
-      <Col xs={12} lg={8}>
-        <h1 className="page-title no-print">5. ATT&CK Report</h1>
+      <div>
        <div id="header" className="row justify-content-between attack-legend">
          <Col xs={4}>
            <i className="fa fa-circle icon-default"></i>
@ -140,6 +121,32 @@ class AttackReportPageComponent extends AuthComponent {
            <span> - Used</span>
          </Col>
        </div>
+        <section className="app">{content}</section>
+      </div>
+    )
+  }
+
+  render() {
+    let content;
+    console.log(this.state.report);
+    if (this.state.report === false){
+        content = (<h1>Generating Report...</h1>);
+    } else if (Object.keys(this.state.report).length === 0) {
+      if (this.state.runStarted) {
+        content = (<h1>No techniques were scanned</h1>);
+      } else {
+        content =
+          <p className="alert alert-warning">
+            <i className="glyphicon glyphicon-warning-sign" style={{'marginRight': '5px'}}/>
+            You have to run a monkey before generating a report!
+          </p>;
+      }
+    } else {
+      content = this.generateReportContent();
+    }
+    return (
+      <Col xs={12} lg={8}>
+        <h1 className="page-title no-print">5. ATT&CK Report</h1>
        <div style={{'fontSize': '1.2em'}}>
          {content}
        </div>
--- a/monkey/monkey_island/cc/ui/src/styles/App.css
+++ b/monkey/monkey_island/cc/ui/src/styles/App.css
@ -541,3 +541,9 @@ body {
  text-align: center;
  margin-bottom: 20px;
 }
+
+.attack-report.footer-text{
+  text-align: right;
+  font-size: 0.8em;
+  margin-top: 20px;
+}