p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

island: When generating ATT&CK report for techniques mapped to PBAs, check telem event's OS and technique's relevant systems

This commit is contained in:
Shreya Malviya 2021-10-06 14:45:48 +05:30
parent cccdf7f6c3
commit 81252e2b6a
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py
View File

@ -18,7 +18,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
... ...
@classmethod @classmethod
def get_pba_query(cls, post_breach_action_names): def get_pba_query(cls, post_breach_action_names, relevant_systems):
""" """
:param post_breach_action_names: Names of post-breach actions with which the technique is :param post_breach_action_names: Names of post-breach actions with which the technique is
associated associated
@ -29,8 +29,11 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
return [ return [
{ {
"$match": { "$match": {
"telem_category": "post_breach", "$and": [
"$or": [{"data.name": pba_name} for pba_name in post_breach_action_names], {"telem_category": "post_breach"},
{"$or": [{"data.name": pba_name} for pba_name in post_breach_action_names]},
{"$or": [{"data.os": os} for os in relevant_systems]},
]
} }
}, },
{ {
@ -50,13 +53,18 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
@cls.is_status_disabled @cls.is_status_disabled
def get_technique_status_and_data(): def get_technique_status_and_data():
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names))) info = list(
mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names, cls.relevant_systems))
)
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
if info: if info:
successful_PBAs = mongo.db.telemetry.count( successful_PBAs = mongo.db.telemetry.count(
{ {
"$or": [{"data.name": pba_name} for pba_name in cls.pba_names], "$and": [
"data.result.1": True, {"$or": [{"data.name": pba_name} for pba_name in cls.pba_names]},
{"$or": [{"data.os": os} for os in cls.relevant_systems]},
{"data.result.1": True},
]
} }
) )
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value