forked from p34709852/monkey
Update after pulling from develop
This commit is contained in:
parent
82f1e531e7
commit
ed269577b3
|
@ -2,33 +2,15 @@ from common.data.post_breach_consts import POST_BREACH_JOB_SCHEDULING
|
|||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
|
||||
PostBreachTechnique
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1053(AttackTechnique):
|
||||
class T1053(PostBreachTechnique):
|
||||
tech_id = "T1053"
|
||||
unscanned_msg = "Monkey did not try scheduling a job on Windows."
|
||||
scanned_msg = "Monkey tried scheduling a job on the Windows system but failed."
|
||||
used_msg = "Monkey scheduled a job on the Windows system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_JOB_SCHEDULING,
|
||||
'data.command': {'$regex': 'schtasks'}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1053.technique_title()}
|
||||
|
||||
job_scheduling_info = list(mongo.db.telemetry.aggregate(T1053.query))
|
||||
|
||||
status = (ScanStatus.USED.value if job_scheduling_info[0]['result'][1]
|
||||
else ScanStatus.SCANNED.value) if job_scheduling_info else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1053.get_base_data_by_status(status))
|
||||
data.update({'info': job_scheduling_info})
|
||||
return data
|
||||
pba_names = [POST_BREACH_JOB_SCHEDULING]
|
||||
|
|
|
@ -3,7 +3,6 @@ from common.data.post_breach_consts import (
|
|||
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
|
||||
PostBreachTechnique
|
||||
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ from monkey_island.cc.services.attack.technique_reports.pba_technique import \
|
|||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1166(AttackTechnique):
|
||||
class T1166(PostBreachTechnique):
|
||||
tech_id = "T1166"
|
||||
unscanned_msg = "Monkey did not try creating hidden files or folders."
|
||||
scanned_msg = "Monkey tried creating hidden files and folders on the system but failed."
|
||||
|
|
|
@ -2,33 +2,15 @@ from common.data.post_breach_consts import POST_BREACH_JOB_SCHEDULING
|
|||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
|
||||
PostBreachTechnique
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1168(AttackTechnique):
|
||||
class T1168(PostBreachTechnique):
|
||||
tech_id = "T1168"
|
||||
unscanned_msg = "Monkey did not try scheduling a job on Linux."
|
||||
scanned_msg = "Monkey tried scheduling a job on the Linux system but failed."
|
||||
used_msg = "Monkey scheduled a job on the Linux system."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'data.name': POST_BREACH_JOB_SCHEDULING,
|
||||
'data.command': {'$regex': 'crontab'}}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1168.technique_title()}
|
||||
|
||||
job_scheduling_info = list(mongo.db.telemetry.aggregate(T1168.query))
|
||||
|
||||
status = (ScanStatus.USED.value if job_scheduling_info[0]['result'][1]
|
||||
else ScanStatus.SCANNED.value) if job_scheduling_info else ScanStatus.UNSCANNED.value
|
||||
|
||||
data.update(T1168.get_base_data_by_status(status))
|
||||
data.update({'info': job_scheduling_info})
|
||||
return data
|
||||
pba_names = [POST_BREACH_JOB_SCHEDULING]
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
import abc
|
||||
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
|
||||
|
@ -41,9 +41,10 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
|
||||
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
|
||||
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
if info:
|
||||
successful_PBAs = mongo.db.telemetry.count({
|
||||
'$or': [{'data.name': pba_name} for pba_name in post_breach_action_names],
|
||||
'$or': [{'data.name': pba_name} for pba_name in cls.pba_names],
|
||||
'data.result.1': True
|
||||
})
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
|
Loading…
Reference in New Issue