p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #390 from VakarisZ/attack_scripting 

T1064 Scripting
This commit is contained in:
Itay Mizeretz 2019-08-22 14:24:33 +03:00 committed by GitHub
parent 9bd4238d9c b9a5ac1fe4
commit d4c337dc42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 163 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
monkey/infection_monkey/post_breach/pba.py
View File

@ -1,10 +1,11 @@
import logging import logging
import subprocess import subprocess
import socket
from infection_monkey.control import ControlClient from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
from infection_monkey.utils import is_windows_os from infection_monkey.utils import is_windows_os
from infection_monkey.config import WormConfiguration from infection_monkey.config import WormConfiguration
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -46,8 +47,26 @@ class PBA(object):
""" """
exec_funct = self._execute_default exec_funct = self._execute_default
result = exec_funct() result = exec_funct()
if self.scripts_were_used_successfully(result):
T1064Telem(ScanStatus.USED, "Scripts were used to execute %s post breach action." % self.name).send()
PostBreachTelem(self, result).send() PostBreachTelem(self, result).send()
def is_script(self):
"""
Determines if PBA is a script (PBA might be a single command)
:return: True if PBA is a script(series of OS commands)
"""
return isinstance(self.command, list) and len(self.command) > 1
def scripts_were_used_successfully(self, pba_execution_result):
"""
Determines if scripts were used to execute PBA and if they succeeded
:param pba_execution_result: result of execution function. e.g. self._execute_default
:return: True if scripts were used, False otherwise
"""
pba_execution_succeeded = pba_execution_result[1]
return pba_execution_succeeded and self.is_script()
def _execute_default(self): def _execute_default(self):
""" """
Default post breach command execution routine Default post breach command execution routine

3
monkey/infection_monkey/system_info/azure_cred_collector.py
View File

@ -7,6 +7,7 @@ import subprocess
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
__author__ = 'danielg' __author__ = 'danielg'
@ -58,6 +59,7 @@ class AzureCollector(object):
decrypt_raw = decrypt_proc.communicate(input=b64_result)[0] decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
decrypt_data = json.loads(decrypt_raw) decrypt_data = json.loads(decrypt_raw)
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send() T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
T1064Telem(ScanStatus.USED, 'Bash scripts used to extract azure credentials.').send()
return decrypt_data['username'], decrypt_data['password'] return decrypt_data['username'], decrypt_data['password']
except IOError: except IOError:
LOG.warning("Failed to parse VM Access plugin file. Could not open file") LOG.warning("Failed to parse VM Access plugin file. Could not open file")
@ -97,6 +99,7 @@ class AzureCollector(object):
password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1] password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1]
password = json.loads(password_raw)["Password"] password = json.loads(password_raw)["Password"]
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send() T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
T1064Telem(ScanStatus.USED, 'Powershell scripts used to extract azure credentials.').send()
return username, password return username, password
except IOError: except IOError:
LOG.warning("Failed to parse VM Access plugin file. Could not open file") LOG.warning("Failed to parse VM Access plugin file. Could not open file")

19
monkey/infection_monkey/telemetry/attack/t1064_telem.py Normal file
View File

@ -0,0 +1,19 @@
from infection_monkey.telemetry.attack.usage_telem import AttackTelem
class T1064Telem(AttackTelem):
def __init__(self, status, usage):
"""
T1064 telemetry.
:param status: ScanStatus of technique
:param usage: Usage string
"""
super(T1064Telem, self).__init__('T1064', status)
self.usage = usage
def get_data(self):
data = super(T1064Telem, self).get_data()
data.update({
'usage': self.usage
})
return data

6
monkey/monkey_island/cc/services/attack/attack_report.py
View File

@ -3,7 +3,7 @@ import logging
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021 from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
@ -34,7 +34,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1005': T1005.T1005, 'T1005': T1005.T1005,
'T1018': T1018.T1018, 'T1018': T1018.T1018,
'T1016': T1016.T1016, 'T1016': T1016.T1016,
'T1021': T1021.T1021} 'T1021': T1021.T1021,
'T1064': T1064.T1064
}
REPORT_NAME = 'new_report' REPORT_NAME = 'new_report'

8
monkey/monkey_island/cc/services/attack/attack_schema.py
View File

@ -173,6 +173,14 @@ SCHEMA = {
"necessary": True, "necessary": True,
"description": "Adversaries can use PowerShell to perform a number of actions," "description": "Adversaries can use PowerShell to perform a number of actions,"
" including discovery of information and execution of code.", " including discovery of information and execution of code.",
},
"T1064": {
"title": "T1064 Scripting",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may use scripts to aid in operations and "
"perform multiple actions that would otherwise be manual.",
} }
} }
}, },

3
monkey/monkey_island/cc/services/attack/technique_reports/T1035.py
View File

@ -1,5 +1,4 @@
from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports.usage_technique import UsageTechnique
from monkey_island.cc.services.attack.technique_reports import UsageTechnique
__author__ = "VakarisZ" __author__ = "VakarisZ"

18
monkey/monkey_island/cc/services/attack/technique_reports/T1064.py Normal file
View File

@ -0,0 +1,18 @@
from monkey_island.cc.services.attack.technique_reports.usage_technique import UsageTechnique
from monkey_island.cc.database import mongo
__author__ = "VakarisZ"
class T1064(UsageTechnique):
tech_id = "T1064"
unscanned_msg = "Monkey didn't run scripts or tried to run and failed."
scanned_msg = ""
used_msg = "Monkey ran scripts on machines in the network."
@staticmethod
def get_report_data():
data = T1064.get_tech_base_data()
script_usages = list(mongo.db.telemetry.aggregate(T1064.get_usage_query()))
data.update({'scripts': script_usages})
return data

2
monkey/monkey_island/cc/services/attack/technique_reports/T1106.py
View File

@ -1,4 +1,4 @@
from monkey_island.cc.services.attack.technique_reports import UsageTechnique from monkey_island.cc.services.attack.technique_reports.usage_technique import UsageTechnique
__author__ = "VakarisZ" __author__ = "VakarisZ"

3
monkey/monkey_island/cc/services/attack/technique_reports/T1129.py
View File

@ -1,5 +1,4 @@
from monkey_island.cc.database import mongo from monkey_island.cc.services.attack.technique_reports.usage_technique import UsageTechnique
from monkey_island.cc.services.attack.technique_reports import UsageTechnique
__author__ = "VakarisZ" __author__ = "VakarisZ"

46
monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
View File

@ -2,7 +2,7 @@ import abc
import logging import logging
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from common.utils.attack_utils import ScanStatus, UsageEnum from common.utils.attack_utils import ScanStatus
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from common.utils.code_utils import abstractstatic from common.utils.code_utils import abstractstatic
@ -115,47 +115,3 @@ class AttackTechnique(object):
data = cls.get_message_and_status(status) data = cls.get_message_and_status(status)
data.update({'title': cls.technique_title()}) data.update({'title': cls.technique_title()})
return data return data
class UsageTechnique(AttackTechnique):
__metaclass__ = abc.ABCMeta
@staticmethod
def parse_usages(usage):
"""
Parses data from database and translates usage enums into strings
:param usage: Usage telemetry that contains fields: {'usage': 'SMB', 'status': 1}
:return: usage string
"""
try:
usage['usage'] = UsageEnum[usage['usage']].value[usage['status']]
except KeyError:
logger.error("Error translating usage enum. into string. "
"Check if usage enum field exists and covers all telem. statuses.")
return usage
@classmethod
def get_usage_data(cls):
data = list(mongo.db.telemetry.aggregate(cls.get_usage_query()))
return list(map(cls.parse_usages, data))
@classmethod
def get_usage_query(cls):
"""
:return: Query that parses attack telems for simple report component
(gets machines and attack technique usage).
"""
return [{'$match': {'telem_category': 'attack',
'data.technique': cls.tech_id}},
{'$lookup': {'from': 'monkey',
'localField': 'monkey_guid',
'foreignField': 'guid',
'as': 'monkey'}},
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
'status': '$data.status',
'usage': '$data.usage'}},
{'$addFields': {'_id': 0,
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
'monkey': 0}},
{'$group': {'_id': {'machine': '$machine', 'status': '$status', 'usage': '$usage'}}},
{"$replaceRoot": {"newRoot": "$_id"}}]

53
monkey/monkey_island/cc/services/attack/technique_reports/usage_technique.py Normal file
View File

@ -0,0 +1,53 @@
import abc
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique, logger
from common.utils.attack_utils import UsageEnum
class UsageTechnique(AttackTechnique):
__metaclass__ = abc.ABCMeta
@staticmethod
def parse_usages(usage):
"""
Parses data from database and translates usage enums into strings
:param usage: Usage telemetry that contains fields: {'usage': 'SMB', 'status': 1}
:return: usage string
"""
try:
usage['usage'] = UsageEnum[usage['usage']].value[usage['status']]
except KeyError:
logger.error("Error translating usage enum. into string. "
"Check if usage enum field exists and covers all telem. statuses.")
return usage
@classmethod
def get_usage_data(cls):
"""
Gets data of usage attack telemetries
:return: parsed list of usages from attack telemetries of usage type
"""
data = list(mongo.db.telemetry.aggregate(cls.get_usage_query()))
return list(map(cls.parse_usages, data))
@classmethod
def get_usage_query(cls):
"""
:return: Query that parses attack telemetries for a simple report component
(gets machines and attack technique usage).
"""
return [{'$match': {'telem_category': 'attack',
'data.technique': cls.tech_id}},
{'$lookup': {'from': 'monkey',
'localField': 'monkey_guid',
'foreignField': 'guid',
'as': 'monkey'}},
{'$project': {'monkey': {'$arrayElemAt': ['$monkey', 0]},
'status': '$data.status',
'usage': '$data.usage'}},
{'$addFields': {'_id': 0,
'machine': {'hostname': '$monkey.hostname', 'ips': '$monkey.ip_addresses'},
'monkey': 0}},
{'$group': {'_id': {'machine': '$machine', 'status': '$status', 'usage': '$usage'}}},
{"$replaceRoot": {"newRoot": "$_id"}}]

30
monkey/monkey_island/cc/ui/src/components/attack/techniques/T1064.js Normal file
View File

@ -0,0 +1,30 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import { getUsageColumns } from "./Helpers"
class T1064 extends React.Component {
constructor(props) {
super(props);
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.scripts.length !== 0 ?
<ReactTable
columns={getUsageColumns()}
data={this.props.data.scripts}
showPagination={false}
defaultPageSize={this.props.data.scripts.length}
/> : ""}
</div>
);
}
}
export default T1064;

4
monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
View File

@ -29,6 +29,7 @@ import T1005 from "../attack/techniques/T1005";
import T1018 from "../attack/techniques/T1018"; import T1018 from "../attack/techniques/T1018";
import T1016 from "../attack/techniques/T1016"; import T1016 from "../attack/techniques/T1016";
import T1021 from "../attack/techniques/T1021"; import T1021 from "../attack/techniques/T1021";
import T1064 from "../attack/techniques/T1064";
const tech_components = { const tech_components = {
'T1210': T1210, 'T1210': T1210,
@ -53,7 +54,8 @@ const tech_components = {
'T1005': T1005, 'T1005': T1005,
'T1018': T1018, 'T1018': T1018,
'T1016': T1016, 'T1016': T1016,
'T1021': T1021 'T1021': T1021,
'T1064': T1064
}; };
const classNames = require('classnames'); const classNames = require('classnames');