forked from p34709852/monkey
Merge pull request #1754 from guardicore/1695-attack-changes
1695 attack changes
This commit is contained in:
commit
c33318646a
|
@ -47,6 +47,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Zero Trust integration with ScoutSuite. #1669
|
- Zero Trust integration with ScoutSuite. #1669
|
||||||
- ShellShock exploiter. #1733
|
- ShellShock exploiter. #1733
|
||||||
- ElasticGroovy exploiter. #1732
|
- ElasticGroovy exploiter. #1732
|
||||||
|
- T1082 attack technique report. #1754
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||||
|
|
|
@ -16,7 +16,6 @@ from monkey_island.cc.services.attack.technique_reports import (
|
||||||
T1064,
|
T1064,
|
||||||
T1065,
|
T1065,
|
||||||
T1075,
|
T1075,
|
||||||
T1082,
|
|
||||||
T1086,
|
T1086,
|
||||||
T1087,
|
T1087,
|
||||||
T1090,
|
T1090,
|
||||||
|
@ -54,7 +53,6 @@ TECHNIQUES = {
|
||||||
"T1003": T1003.T1003,
|
"T1003": T1003.T1003,
|
||||||
"T1059": T1059.T1059,
|
"T1059": T1059.T1059,
|
||||||
"T1086": T1086.T1086,
|
"T1086": T1086.T1086,
|
||||||
"T1082": T1082.T1082,
|
|
||||||
"T1145": T1145.T1145,
|
"T1145": T1145.T1145,
|
||||||
"T1065": T1065.T1065,
|
"T1065": T1065.T1065,
|
||||||
"T1105": T1105.T1105,
|
"T1105": T1105.T1105,
|
||||||
|
|
|
@ -249,21 +249,11 @@ SCHEMA = {
|
||||||
"hostname, or other logical identifier on a network for lateral"
|
"hostname, or other logical identifier on a network for lateral"
|
||||||
" movement.",
|
" movement.",
|
||||||
},
|
},
|
||||||
"T1082": {
|
|
||||||
"title": "System information discovery",
|
|
||||||
"type": "bool",
|
|
||||||
"link": "https://attack.mitre.org/techniques/T1082",
|
|
||||||
"depends_on": ["T1016", "T1005"],
|
|
||||||
"description": "An adversary may attempt to get detailed information about the "
|
|
||||||
"operating system and hardware, including version, patches, "
|
|
||||||
"hotfixes, "
|
|
||||||
"service packs, and architecture.",
|
|
||||||
},
|
|
||||||
"T1016": {
|
"T1016": {
|
||||||
"title": "System network configuration discovery",
|
"title": "System network configuration discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"link": "https://attack.mitre.org/techniques/T1016",
|
"link": "https://attack.mitre.org/techniques/T1016",
|
||||||
"depends_on": ["T1005", "T1082"],
|
"depends_on": ["T1005"],
|
||||||
"description": "Adversaries will likely look for details about the network "
|
"description": "Adversaries will likely look for details about the network "
|
||||||
"configuration "
|
"configuration "
|
||||||
"and settings of systems they access or through information "
|
"and settings of systems they access or through information "
|
||||||
|
@ -322,7 +312,7 @@ SCHEMA = {
|
||||||
"title": "Data from local system",
|
"title": "Data from local system",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"link": "https://attack.mitre.org/techniques/T1005",
|
"link": "https://attack.mitre.org/techniques/T1005",
|
||||||
"depends_on": ["T1016", "T1082"],
|
"depends_on": ["T1016"],
|
||||||
"description": "Sensitive data can be collected from local system sources, "
|
"description": "Sensitive data can be collected from local system sources, "
|
||||||
"such as the file system "
|
"such as the file system "
|
||||||
"or databases of information residing on the system prior to "
|
"or databases of information residing on the system prior to "
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
from common.utils.attack_utils import ScanStatus
|
from common.utils.attack_utils import ScanStatus
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.models import Monkey
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||||
|
|
||||||
|
|
||||||
|
@ -10,35 +10,12 @@ class T1016(AttackTechnique):
|
||||||
scanned_msg = ""
|
scanned_msg = ""
|
||||||
used_msg = "Monkey gathered network configurations on systems in the network."
|
used_msg = "Monkey gathered network configurations on systems in the network."
|
||||||
|
|
||||||
query = [
|
|
||||||
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
|
||||||
"networks": "$data.network_info.networks",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"$addFields": {
|
|
||||||
"_id": 0,
|
|
||||||
"networks": 0,
|
|
||||||
"info": [
|
|
||||||
{
|
|
||||||
"used": {
|
|
||||||
"$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}]
|
|
||||||
},
|
|
||||||
"name": {"$literal": "Network interface info"},
|
|
||||||
},
|
|
||||||
],
|
|
||||||
}
|
|
||||||
},
|
|
||||||
]
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_report_data():
|
def get_report_data():
|
||||||
def get_technique_status_and_data():
|
def get_technique_status_and_data():
|
||||||
network_info = list(mongo.db.telemetry.aggregate(T1016.query))
|
network_info = T1016._get_network_info()
|
||||||
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
|
used_info = [entry for entry in network_info if entry["info"][0]["used"]]
|
||||||
|
status = ScanStatus.USED.value if used_info else ScanStatus.UNSCANNED.value
|
||||||
return (status, network_info)
|
return (status, network_info)
|
||||||
|
|
||||||
status, network_info = get_technique_status_and_data()
|
status, network_info = get_technique_status_and_data()
|
||||||
|
@ -46,3 +23,14 @@ class T1016(AttackTechnique):
|
||||||
data = T1016.get_base_data_by_status(status)
|
data = T1016.get_base_data_by_status(status)
|
||||||
data.update({"network_info": network_info})
|
data.update({"network_info": network_info})
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _get_network_info():
|
||||||
|
network_info = []
|
||||||
|
for monkey in Monkey.objects():
|
||||||
|
entry = {"machine": {"hostname": monkey.hostname, "ips": monkey.ip_addresses}}
|
||||||
|
info = [{"used": bool(monkey.networks), "name": "Network interface info"}]
|
||||||
|
entry["info"] = info
|
||||||
|
network_info.append(entry)
|
||||||
|
|
||||||
|
return network_info
|
||||||
|
|
|
@ -1,120 +0,0 @@
|
||||||
from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION
|
|
||||||
from common.utils.attack_utils import ScanStatus
|
|
||||||
from monkey_island.cc.database import mongo
|
|
||||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
|
||||||
|
|
||||||
|
|
||||||
class T1082(AttackTechnique):
|
|
||||||
tech_id = "T1082"
|
|
||||||
relevant_systems = ["Linux", "Windows"]
|
|
||||||
unscanned_msg = "Monkey didn't gather any system info on the network."
|
|
||||||
scanned_msg = "Monkey tried gathering system info on the network but failed."
|
|
||||||
used_msg = "Monkey gathered system info from machines in the network."
|
|
||||||
# TODO: Remove the second item from this list after the TODO in `_run_pba()` in
|
|
||||||
# `automated_master.py` is resolved.
|
|
||||||
pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"]
|
|
||||||
|
|
||||||
query_for_system_info_collectors = [
|
|
||||||
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
|
|
||||||
"aws": "$data.aws",
|
|
||||||
"ssh_info": "$data.ssh_info",
|
|
||||||
"azure_info": "$data.Azure",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"_id": 0,
|
|
||||||
"machine": 1,
|
|
||||||
"collections": [
|
|
||||||
{
|
|
||||||
"used": {"$and": [{"$gt": ["$aws", {}]}]},
|
|
||||||
"name": {"$literal": "Amazon Web Services info"},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"used": {
|
|
||||||
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
|
|
||||||
},
|
|
||||||
"name": {"$literal": "SSH info"},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"used": {
|
|
||||||
"$and": [
|
|
||||||
{"$ifNull": ["$azure_info", False]},
|
|
||||||
{"$ne": ["$azure_info", []]},
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"name": {"$literal": "Azure info"},
|
|
||||||
},
|
|
||||||
{"used": True, "name": {"$literal": "Network interfaces"}},
|
|
||||||
],
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{"$group": {"_id": {"machine": "$machine", "collections": "$collections"}}},
|
|
||||||
{"$replaceRoot": {"newRoot": "$_id"}},
|
|
||||||
]
|
|
||||||
|
|
||||||
query_for_running_processes_list = [
|
|
||||||
{
|
|
||||||
"$match": {
|
|
||||||
"$and": [
|
|
||||||
{"telem_category": "post_breach"},
|
|
||||||
{"$or": [{"data.name": pba_name} for pba_name in pba_names]},
|
|
||||||
{"$or": [{"data.os": os} for os in relevant_systems]},
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"$project": {
|
|
||||||
"_id": 0,
|
|
||||||
"machine": {
|
|
||||||
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
|
|
||||||
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
|
|
||||||
},
|
|
||||||
"collections": [
|
|
||||||
{
|
|
||||||
"used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]},
|
|
||||||
"name": {"$literal": "List of running processes"},
|
|
||||||
}
|
|
||||||
],
|
|
||||||
}
|
|
||||||
},
|
|
||||||
]
|
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def get_report_data():
|
|
||||||
def get_technique_status_and_data():
|
|
||||||
system_info_data = list(
|
|
||||||
mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors)
|
|
||||||
)
|
|
||||||
system_info_status = (
|
|
||||||
ScanStatus.USED.value if system_info_data else ScanStatus.UNSCANNED.value
|
|
||||||
)
|
|
||||||
|
|
||||||
pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_running_processes_list))
|
|
||||||
successful_PBAs = mongo.db.telemetry.count(
|
|
||||||
{
|
|
||||||
"$and": [
|
|
||||||
{"$or": [{"data.name": pba_name} for pba_name in T1082.pba_names]},
|
|
||||||
{"$or": [{"data.os": os} for os in T1082.relevant_systems]},
|
|
||||||
{"data.result.1": True},
|
|
||||||
]
|
|
||||||
}
|
|
||||||
)
|
|
||||||
pba_status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
|
||||||
|
|
||||||
technique_data = system_info_data + pba_data
|
|
||||||
# ScanStatus values are in order of precedence; used > scanned > unscanned
|
|
||||||
technique_status = max(system_info_status, pba_status)
|
|
||||||
|
|
||||||
return (technique_status, technique_data)
|
|
||||||
|
|
||||||
status, technique_data = get_technique_status_and_data()
|
|
||||||
data = {"title": T1082.technique_title()}
|
|
||||||
data.update({"technique_data": technique_data})
|
|
||||||
|
|
||||||
data.update(T1082.get_mitigation_by_status(status))
|
|
||||||
data.update(T1082.get_message_and_status(status))
|
|
||||||
return data
|
|
|
@ -100,7 +100,6 @@ POST_BREACH_ACTIONS = {
|
||||||
"title": "Process List Collector",
|
"title": "Process List Collector",
|
||||||
"safe": True,
|
"safe": True,
|
||||||
"info": "Collects a list of running processes on the machine.",
|
"info": "Collects a list of running processes on the machine.",
|
||||||
"attack_techniques": ["T1082"],
|
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,50 +0,0 @@
|
||||||
import React from 'react';
|
|
||||||
import ReactTable from 'react-table';
|
|
||||||
import {renderMachineFromSystemData, renderUsageFields, ScanStatus} from './Helpers'
|
|
||||||
import MitigationsComponent from './MitigationsComponent';
|
|
||||||
|
|
||||||
|
|
||||||
class T1082 extends React.Component {
|
|
||||||
|
|
||||||
constructor(props) {
|
|
||||||
super(props);
|
|
||||||
}
|
|
||||||
|
|
||||||
static getSystemInfoColumns() {
|
|
||||||
return ([{
|
|
||||||
columns: [
|
|
||||||
{
|
|
||||||
Header: 'Machine',
|
|
||||||
id: 'machine',
|
|
||||||
accessor: x => renderMachineFromSystemData(x.machine),
|
|
||||||
style: {'whiteSpace': 'unset'}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Header: 'Gathered info',
|
|
||||||
id: 'info',
|
|
||||||
accessor: x => renderUsageFields(x.collections),
|
|
||||||
style: {'whiteSpace': 'unset'}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}])
|
|
||||||
}
|
|
||||||
|
|
||||||
render() {
|
|
||||||
return (
|
|
||||||
<div>
|
|
||||||
<div>{this.props.data.message_html}</div>
|
|
||||||
<br/>
|
|
||||||
{this.props.data.status === ScanStatus.USED ?
|
|
||||||
<ReactTable
|
|
||||||
columns={T1082.getSystemInfoColumns()}
|
|
||||||
data={this.props.data.technique_data}
|
|
||||||
showPagination={false}
|
|
||||||
defaultPageSize={this.props.data.technique_data.length}
|
|
||||||
/> : ''}
|
|
||||||
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
|
||||||
</div>
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
export default T1082;
|
|
Loading…
Reference in New Issue