Merge pull request #693 from shreyamalviya/mongo-search-T1136

Use mongo search for T1136's report data
2020-07-13 19:06:35 +05:30 · 2020-07-13 19:06:35 +05:30 · 8c255ece06
parent 37a93e78f9 e12374b7d3
commit 8c255ece06
1 changed files with 19 additions and 19 deletions
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
@ -1,5 +1,5 @@
 from monkey_island.cc.services.attack.technique_reports import AttackTechnique
-from monkey_island.cc.services.reporting.report import ReportService
+from monkey_island.cc.database import mongo
 from common.utils.attack_utils import ScanStatus
 from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER

@ -12,27 +12,27 @@ class T1136(AttackTechnique):
    scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
    used_msg = "Monkey created a new user on the network's systems."

+    query = [{'$match': {'telem_category': 'post_breach',
+                         '$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
+                                 {'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
+             {'$project': {'_id': 0,
+                           'machine': {'hostname': '$data.hostname',
+                                       'ips': ['$data.ip']},
+                           'result': '$data.result'}}]
+
    @staticmethod
    def get_report_data():
        data = {'title': T1136.technique_title()}

-        scanned_nodes = ReportService.get_scanned()
+        create_user_info = list(mongo.db.telemetry.aggregate(T1136.query))
+
        status = ScanStatus.UNSCANNED.value
-        for node in scanned_nodes:
-            if node['pba_results'] != 'None':
-                for pba in node['pba_results']:
-                    if pba['name'] in [POST_BREACH_BACKDOOR_USER,
-                                       POST_BREACH_COMMUNICATE_AS_NEW_USER]:
-                        status = ScanStatus.USED.value if pba['result'][1]\
-                                                       else ScanStatus.SCANNED.value
-                        data.update({
-                            'info': [{
-                                'machine': {
-                                    'hostname': pba['hostname'],
-                                    'ips': node['ip_addresses'],
-                                },
-                                'result': ': '.join([pba['name'], pba['result'][0]])
-                            }]
-                        })
-            data.update(T1136.get_base_data_by_status(status))
+        if create_user_info:
+            successful_PBAs = mongo.db.telemetry.count({'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
+                                                                {'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}],
+                                                        'data.result.1': True})
+            status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
+
+        data.update(T1136.get_base_data_by_status(status))
+        data.update({'info': create_user_info})
        return data