p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Add DISABLED status for attack techniques

This commit is contained in:
Shreya 2020-07-11 01:08:41 +05:30
parent 7cb0e111cc
commit ab91f24866
11 changed files with 74 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
monkey/common/utils/attack_utils.py
View File

@ -8,6 +8,8 @@ class ScanStatus(Enum):
SCANNED = 1 SCANNED = 1
# Technique was attempted and succeeded # Technique was attempted and succeeded
USED = 2 USED = 2
# Techique was disabled
DISABLED = 3
class UsageEnum(Enum): class UsageEnum(Enum):

32
monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
View File

@ -2,38 +2,18 @@ from common.data.post_breach_consts import (
POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER) POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER)
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
from monkey_island.cc.services.reporting.report import ReportService
__author__ = "shreyamalviya" __author__ = "shreyamalviya"
class T1136(AttackTechnique): class T1136(PostBreachTechnique):
tech_id = "T1136" tech_id = "T1136"
unscanned_msg = "Monkey didn't try creating a new user on the network's systems." unscanned_msg = "Monkey didn't try creating a new user on the network's systems."
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed." scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
used_msg = "Monkey created a new user on the network's systems." used_msg = "Monkey created a new user on the network's systems."
pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]
query = [{'$match': {'telem_category': 'post_breach',
'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'result': '$data.result'}}]
@staticmethod
def get_report_data():
data = {'title': T1136.technique_title()}
create_user_info = list(mongo.db.telemetry.aggregate(T1136.query))
status = ScanStatus.UNSCANNED.value
if create_user_info:
successful_PBAs = mongo.db.telemetry.count({'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}],
'data.result.1': True})
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
data.update(T1136.get_base_data_by_status(status))
data.update({'info': create_user_info})
return data

29
monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
View File

@ -3,36 +3,15 @@ from common.data.post_breach_consts import \
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
__author__ = "shreyamalviya" __author__ = "shreyamalviya"
class T1156(AttackTechnique): class T1156(PostBreachTechnique):
tech_id = "T1156" tech_id = "T1156"
unscanned_msg = "Monkey did not try modifying bash startup files on the system." unscanned_msg = "Monkey did not try modifying bash startup files on the system."
scanned_msg = "Monkey tried modifying bash startup files on the system but failed." scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
used_msg = "Monkey modified bash startup files on the system." used_msg = "Monkey modified bash startup files on the system."
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
query = [{'$match': {'telem_category': 'post_breach',
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
'data.command': {'$regex': 'bash'}}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'result': '$data.result'}}]
@staticmethod
def get_report_data():
data = {'title': T1156.technique_title(), 'info': []}
bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
status = []
for pba_node in bash_modification_info:
status.append(pba_node['result'][1])
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if status else ScanStatus.UNSCANNED.value
data.update(T1156.get_base_data_by_status(status))
data.update({'info': bash_modification_info})
return data

2
monkey/monkey_island/cc/services/attack/technique_reports/T1158.py
View File

@ -11,4 +11,4 @@ class T1158(PostBreachTechnique):
unscanned_msg = "Monkey did not try creating hidden files or folders." unscanned_msg = "Monkey did not try creating hidden files or folders."
scanned_msg = "Monkey tried creating hidden files and folders on the system but failed." scanned_msg = "Monkey tried creating hidden files and folders on the system but failed."
used_msg = "Monkey created hidden files and folders on the system." used_msg = "Monkey created hidden files and folders on the system."
pba_name = POST_BREACH_HIDDEN_FILES pba_names = [POST_BREACH_HIDDEN_FILES]

29
monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
View File

@ -3,36 +3,15 @@ from common.data.post_breach_consts import \
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
__author__ = "shreyamalviya" __author__ = "shreyamalviya"
class T1504(AttackTechnique): class T1504(PostBreachTechnique):
tech_id = "T1504" tech_id = "T1504"
unscanned_msg = "Monkey did not try modifying powershell startup files on the system." unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
scanned_msg = "Monkey tried modifying powershell startup files on the system but failed." scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
used_msg = "Monkey modified powershell startup files on the system." used_msg = "Monkey modified powershell startup files on the system."
pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION]
query = [{'$match': {'telem_category': 'post_breach',
'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
'data.command': {'$regex': 'powershell'}}},
{'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']},
'result': '$data.result'}}]
@staticmethod
def get_report_data():
data = {'title': T1504.technique_title(), 'info': []}
powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
status = []
for pba_node in powershell_profile_modification_info:
status.append(pba_node['result'][1])
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if status else ScanStatus.UNSCANNED.value
data.update(T1504.get_base_data_by_status(status))
data.update({'info': powershell_profile_modification_info})
return data

18
monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
View File

@ -10,6 +10,9 @@ from monkey_island.cc.services.attack.attack_config import AttackConfig
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
disabled_msg = "This technique has been disabled. You can enable it from the configuration page."
class AttackTechnique(object, metaclass=abc.ABCMeta): class AttackTechnique(object, metaclass=abc.ABCMeta):
""" Abstract class for ATT&CK report components """ """ Abstract class for ATT&CK report components """
@ -68,7 +71,8 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
'data.technique': cls.tech_id}): 'data.technique': cls.tech_id}):
return ScanStatus.SCANNED.value return ScanStatus.SCANNED.value
else: else:
return ScanStatus.UNSCANNED.value return ScanStatus.DISABLED.value if not AttackConfig.get_technique_values()[cls.tech_id]\
else ScanStatus.UNSCANNED.value
@classmethod @classmethod
def get_message_and_status(cls, status): def get_message_and_status(cls, status):
@ -77,6 +81,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
:param status: Enum from common/attack_utils.py integer value :param status: Enum from common/attack_utils.py integer value
:return: Dict with message and status :return: Dict with message and status
""" """
status = cls._check_status(status)
return {'message': cls.get_message_by_status(status), 'status': status} return {'message': cls.get_message_by_status(status), 'status': status}
@classmethod @classmethod
@ -86,6 +91,8 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
:param status: Enum from common/attack_utils.py integer value :param status: Enum from common/attack_utils.py integer value
:return: message string :return: message string
""" """
if status == ScanStatus.DISABLED.value:
return disabled_msg
if status == ScanStatus.UNSCANNED.value: if status == ScanStatus.UNSCANNED.value:
return cls.unscanned_msg return cls.unscanned_msg
elif status == ScanStatus.SCANNED.value: elif status == ScanStatus.SCANNED.value:
@ -117,6 +124,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
@classmethod @classmethod
def get_base_data_by_status(cls, status): def get_base_data_by_status(cls, status):
status = cls._check_status(status)
data = cls.get_message_and_status(status) data = cls.get_message_and_status(status)
data.update({'title': cls.technique_title()}) data.update({'title': cls.technique_title()})
data.update(cls.get_mitigation_by_status(status)) data.update(cls.get_mitigation_by_status(status))
@ -124,8 +132,16 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
@classmethod @classmethod
def get_mitigation_by_status(cls, status: ScanStatus) -> dict: def get_mitigation_by_status(cls, status: ScanStatus) -> dict:
status = cls._check_status(status)
if status == ScanStatus.USED.value: if status == ScanStatus.USED.value:
mitigation_document = AttackMitigations.get_mitigation_by_technique_id(str(cls.tech_id)) mitigation_document = AttackMitigations.get_mitigation_by_technique_id(str(cls.tech_id))
return {'mitigations': mitigation_document.to_mongo().to_dict()['mitigations']} return {'mitigations': mitigation_document.to_mongo().to_dict()['mitigations']}
else: else:
return {} return {}
@classmethod
def _check_status(cls, status):
if status == ScanStatus.UNSCANNED.value:
return ScanStatus.DISABLED.value if not AttackConfig.get_technique_values()[cls.tech_id]\
else ScanStatus.UNSCANNED.value
return status

13
monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py
View File

@ -9,16 +9,17 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique
class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
@property @property
@abc.abstractmethod @abc.abstractmethod
def pba_name(self): def pba_names(self):
""" """
:return: name of post breach action :return: name of post breach action
""" """
pass pass
@classmethod @classmethod
def get_pba_query(cls, post_breach_action_name): def get_pba_query(cls, post_breach_action_names):
return [{'$match': {'telem_category': 'post_breach', return [{'$match': {'telem_category': 'post_breach',
'data.name': post_breach_action_name}}, # 'data.name': post_breach_action_name}},
'$or': [{'data.name': pba_name} for pba_name in post_breach_action_names]}},
{'$project': {'_id': 0, {'$project': {'_id': 0,
'machine': {'hostname': '$data.hostname', 'machine': {'hostname': '$data.hostname',
'ips': ['$data.ip']}, 'ips': ['$data.ip']},
@ -28,7 +29,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
def get_report_data(cls): def get_report_data(cls):
data = {'title': cls.technique_title(), 'info': []} data = {'title': cls.technique_title(), 'info': []}
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_name))) info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
status = [] status = []
for pba_node in info: for pba_node in info:
@ -36,6 +37,10 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
if status else ScanStatus.UNSCANNED.value if status else ScanStatus.UNSCANNED.value
if status == ScanStatus.UNSCANNED.value and\
not AttackConfig.get_technique_values()[cls.tech_id]:
status = ScanStatus.DISABLED.value
data.update(cls.get_base_data_by_status(status)) data.update(cls.get_base_data_by_status(status))
data.update({'info': info}) data.update({'info': info})
return data return data

3
monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js
View File

@ -65,5 +65,6 @@ export function renderUsageFields(usages) {
export const ScanStatus = { export const ScanStatus = {
UNSCANNED: 0, UNSCANNED: 0,
SCANNED: 1, SCANNED: 1,
USED: 2 USED: 2,
DISABLED: 3
}; };

16
monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
View File

@ -62,8 +62,10 @@ class AttackReport extends React.Component {
return 'collapse-warning'; return 'collapse-warning';
case ScanStatus.USED: case ScanStatus.USED:
return 'collapse-danger'; return 'collapse-danger';
default: case ScanStatus.UNSCANNED:
return 'collapse-default'; return 'collapse-unscanned';
case ScanStatus.DISABLED:
return 'collapse-disabled';
} }
} }
@ -80,15 +82,19 @@ class AttackReport extends React.Component {
renderLegend() { renderLegend() {
return (<div id='header' className='row justify-content-between attack-legend'> return (<div id='header' className='row justify-content-between attack-legend'>
<Col xs={4}> <Col xs={3}>
<FontAwesomeIcon icon={faCircle} className='technique-disabled'/>
<span> - Disabled</span>
</Col>
<Col xs={3}>
<FontAwesomeIcon icon={faCircle} className='technique-not-attempted'/> <FontAwesomeIcon icon={faCircle} className='technique-not-attempted'/>
<span> - Not attempted</span> <span> - Not attempted</span>
</Col> </Col>
<Col xs={4}> <Col xs={3}>
<FontAwesomeIcon icon={faCircle} className='technique-attempted'/> <FontAwesomeIcon icon={faCircle} className='technique-attempted'/>
<span> - Tried (but failed)</span> <span> - Tried (but failed)</span>
</Col> </Col>
<Col xs={4}> <Col xs={3}>
<FontAwesomeIcon icon={faCircle} className='technique-used'/> <FontAwesomeIcon icon={faCircle} className='technique-used'/>
<span> - Successfully used</span> <span> - Successfully used</span>
</Col> </Col>

11
monkey/monkey_island/cc/ui/src/styles/components/Collapse.scss
View File

@ -1,8 +1,9 @@
$transition: 300ms cubic-bezier(0.6, 0.3, 0.3, 0.6); $transition: 300ms cubic-bezier(0.6, 0.3, 0.3, 0.6);
$danger-color: #ebbcba; $danger-color: #ebbcba;
$disabled-color: #b7c2ff;
$info-color: #ade3eb; $info-color: #ade3eb;
$default-color: #e0ddde; $unscanned-color: #e0ddde;
$warning-color: #ffe28d; $warning-color: #ffe28d;
.collapse-item button { .collapse-item button {
@ -50,8 +51,12 @@ $warning-color: #ffe28d;
background-color: $info-color !important; background-color: $info-color !important;
} }
.collapse-default { .collapse-unscanned {
background-color: $default-color !important; background-color: $unscanned-color !important;
}
.collapse-disabled {
background-color: $disabled-color !important;
} }
.collapse-item { .collapse-item {

10
monkey/monkey_island/cc/ui/src/styles/pages/report/ReportAttackMatrix.scss
View File

@ -1,4 +1,5 @@
// colors // colors
$disabled: #b7c2ff;
$not-attempted: #e0ddde; $not-attempted: #e0ddde;
$attempted: #ffe28d; $attempted: #ffe28d;
$used: #ebbcba; $used: #ebbcba;
@ -19,6 +20,11 @@ $black: #3a3a3a;
color: $black; color: $black;
} }
.attack-matrix .status-3 {
background-color: $disabled !important;
color: $black;
}
.attack-matrix div.rt-td:hover { .attack-matrix div.rt-td:hover {
transform: scale(1.08); transform: scale(1.08);
filter: brightness(110%); filter: brightness(110%);
@ -29,6 +35,10 @@ $black: #3a3a3a;
border-bottom: 1px solid #0000000f; border-bottom: 1px solid #0000000f;
} }
.technique-disabled {
color: $disabled;
}
.technique-not-attempted { .technique-not-attempted {
color: $not-attempted; color: $not-attempted;
} }