p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Added doc to consts file, and moved AV list to AV file

This commit is contained in:
Shay Nehmad 2019-08-19 11:56:05 +03:00
parent ba1667372b
commit aaab4a479c
2 changed files with 83 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
monkey/common/data/zero_trust_consts.py
View File

@ -1,3 +1,11 @@
"""
This file contains all the static data relating to Zero Trust. It is mostly used in the zero trust report generation and
in creating findings.
This file contains static mappings between zero trust components such as: pillars, directives, tests, statuses. Some of
the mappings are computed when this module is loaded.
"""
AUTOMATION_ORCHESTRATION = u"Automation & Orchestration" AUTOMATION_ORCHESTRATION = u"Automation & Orchestration"
VISIBILITY_ANALYTICS = u"Visibility & Analytics" VISIBILITY_ANALYTICS = u"Visibility & Analytics"
WORKLOADS = u"Workloads" WORKLOADS = u"Workloads"
@ -11,7 +19,7 @@ STATUS_UNEXECUTED = u"Unexecuted"
STATUS_POSITIVE = u"Positive" STATUS_POSITIVE = u"Positive"
STATUS_INCONCLUSIVE = u"Inconclusive" STATUS_INCONCLUSIVE = u"Inconclusive"
STATUS_CONCLUSIVE = u"Conclusive" STATUS_CONCLUSIVE = u"Conclusive"
# Don't change order! # Don't change order! The statuses are ordered by importance/severity.
ORDERED_TEST_STATUSES = [STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE, STATUS_POSITIVE, STATUS_UNEXECUTED] ORDERED_TEST_STATUSES = [STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE, STATUS_POSITIVE, STATUS_UNEXECUTED]
TEST_DATA_ENDPOINT_ELASTIC = u"unencrypted_data_endpoint_elastic" TEST_DATA_ENDPOINT_ELASTIC = u"unencrypted_data_endpoint_elastic"
@ -170,8 +178,3 @@ EVENT_TYPE_ISLAND = "island"
EVENT_TYPE_MONKEY_NETWORK = "monkey_network" EVENT_TYPE_MONKEY_NETWORK = "monkey_network"
EVENT_TYPE_MONKEY_LOCAL = "monkey_local" EVENT_TYPE_MONKEY_LOCAL = "monkey_local"
EVENT_TYPES = (EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_MONKEY_NETWORK, EVENT_TYPE_ISLAND) EVENT_TYPES = (EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_MONKEY_NETWORK, EVENT_TYPE_ISLAND)
ANTI_VIRUS_KNOWN_PROCESS_NAMES = [
u"SSPService.exe",
u"ipython.exe"
]

77
monkey/monkey_island/cc/services/telemetry/zero_trust_tests/antivirus_existence.py
View File

@ -1,11 +1,81 @@
import json import json
from common.data.zero_trust_consts import EVENT_TYPE_MONKEY_LOCAL, ANTI_VIRUS_KNOWN_PROCESS_NAMES, EVENT_TYPE_ISLAND, \ from common.data.zero_trust_consts import EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_ISLAND, \
STATUS_POSITIVE, STATUS_CONCLUSIVE, TEST_ENDPOINT_SECURITY_EXISTS STATUS_POSITIVE, STATUS_CONCLUSIVE, TEST_ENDPOINT_SECURITY_EXISTS
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.models.event import Event from monkey_island.cc.models.event import Event
from monkey_island.cc.models.finding import Finding from monkey_island.cc.models.finding import Finding
ANTI_VIRUS_KNOWN_PROCESS_NAMES = [
u"AvastSvc.exe",
u"AvastUI.exe",
u"avcenter.exe",
u"avconfig.exe",
u"avgcsrvx.exe",
u"avgidsagent.exe",
u"avgnt.exe",
u"avgrsx.exe",
u"avguard.exe",
u"avgui.exe",
u"avgwdsvc.exe",
u"avp.exe",
u"avscan.exe",
u"bdagent.exe",
u"ccuac.exe",
u"egui.exe",
u"hijackthis.exe",
u"instup.exe",
u"keyscrambler.exe",
u"mbam.exe",
u"mbamgui.exe",
u"mbampt.exe",
u"mbamscheduler.exe",
u"mbamservice.exe",
u"MpCmdRun.exe",
u"MSASCui.exe",
u"MsMpEng.exe",
u"rstrui.exe",
u"spybotsd.exe",
u"zlclient.exe",
u"SymCorpUI.exe",
u"ccSvcHst.exe",
u"ccApp.exe",
u"LUALL.exe",
u"SMC.exe",
u"SMCgui.exe",
u"Rtvscan.exe",
u"LuComServer.exe",
u"ProtectionUtilSurrogate.exe",
u"ClientRemote.exe",
u"SemSvc.exe",
u"SemLaunchSvc.exe",
u"sesmcontinst.exe",
u"LuCatalog.exe",
u"LUALL.exe",
u"LuCallbackProxy.exe",
u"LuComServer_3_3.exe",
u"httpd.exe",
u"dbisqlc.exe",
u"dbsrv16.exe",
u"semapisrv.exe",
u"snac64.exe",
u"AutoExcl.exe",
u"DoScan.exe",
u"nlnhook.exe",
u"SavUI.exe",
u"SepLiveUpdate.exe",
u"Smc.exe",
u"SmcGui.exe",
u"SymCorpUI.exe",
u"symerr.exe",
u"ccSvcHst.exe",
u"DevViewer.exe",
u"DWHWizrd.exe",
u"RtvStart.exe",
u"roru.exe",
u"WSCSAvNotifier"
]
def test_antivirus_existence(telemetry_json): def test_antivirus_existence(telemetry_json):
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']) current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
@ -20,7 +90,8 @@ def test_antivirus_existence(telemetry_json):
all_processes = telemetry_json['data']['process_list'].items() all_processes = telemetry_json['data']['process_list'].items()
for process in all_processes: for process in all_processes:
process_name = process[1]['name'] process_name = process[1]['name']
if process_name in ANTI_VIRUS_KNOWN_PROCESS_NAMES: # This is for case-insensitive in. Generator expression for memory savings.
if process_name.upper() in (known_av_name.upper() for known_av_name in ANTI_VIRUS_KNOWN_PROCESS_NAMES):
found_av = True found_av = True
events.append(Event.create_event( events.append(Event.create_event(
title="Found AV process", title="Found AV process",
@ -33,4 +104,4 @@ def test_antivirus_existence(telemetry_json):
test_status = STATUS_POSITIVE test_status = STATUS_POSITIVE
else: else:
test_status = STATUS_CONCLUSIVE test_status = STATUS_CONCLUSIVE
Finding.save_finding(test=TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events) Finding.save_finding(test=TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)