Added machine exploited ZT test

This commit is contained in:
Shay Nehmad 2019-08-22 14:40:05 +03:00
parent bd97c965f1
commit bf417ab01d
3 changed files with 66 additions and 14 deletions

View File

@ -91,7 +91,7 @@ TESTS_MAP = {
TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.",
FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
STATUS_INCONCLUSIVE: "Monkey tried exploiting endpoints. Check IDS/IPS logs to see activity recognized."
STATUS_POSITIVE: "Monkey didn't manage to exploit an endpoint."
},
DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
PILLARS_KEY: [DEVICES],

View File

@ -7,26 +7,18 @@ from monkey_island.cc.encryptor import encryptor
from monkey_island.cc.services.edge import EdgeService
from monkey_island.cc.services.node import NodeService
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
from monkey_island.cc.services.telemetry.zero_trust_tests.machine_exploited import test_machine_exploited
def process_exploit_telemetry(telemetry_json):
edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
encrypt_exploit_creds(telemetry_json)
telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
update_edge_info_with_new_exploit(edge, telemetry_json)
update_node_credentials_from_successful_attempts(edge, telemetry_json)
test_machine_exploited(telemetry_json)
new_exploit = copy.deepcopy(telemetry_json['data'])
new_exploit.pop('machine')
new_exploit['timestamp'] = telemetry_json['timestamp']
mongo.db.edge.update(
{'_id': edge['_id']},
{'$push': {'exploits': new_exploit}}
)
if new_exploit['result']:
EdgeService.set_edge_exploited(edge)
def update_node_credentials_from_successful_attempts(edge, telemetry_json):
for attempt in telemetry_json['data']['attempts']:
if attempt['result']:
found_creds = {'user': attempt['user']}
@ -36,6 +28,20 @@ def process_exploit_telemetry(telemetry_json):
NodeService.add_credentials_to_node(edge['to'], found_creds)
def update_edge_info_with_new_exploit(edge, telemetry_json):
telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
new_exploit = copy.deepcopy(telemetry_json['data'])
new_exploit.pop('machine')
new_exploit['timestamp'] = telemetry_json['timestamp']
mongo.db.edge.update(
{'_id': edge['_id']},
{'$push': {'exploits': new_exploit}}
)
if new_exploit['result']:
EdgeService.set_edge_exploited(edge)
def encrypt_exploit_creds(telemetry_json):
attempts = telemetry_json['data']['attempts']
for i in range(len(attempts)):

View File

@ -0,0 +1,46 @@
from common.data.zero_trust_consts import *
from monkey_island.cc.models import Monkey
from monkey_island.cc.models.zero_trust.event import Event
from monkey_island.cc.models.zero_trust.finding import Finding
def test_machine_exploited(telemetry_json):
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
events = [
Event.create_event(
title="Exploit attempt",
message="Monkey on {} attempted to exploit {} using {}.".format(
current_monkey.hostname,
telemetry_json['data']['machine']['ip_addr'],
telemetry_json['data']['exploiter']),
event_type=EVENT_TYPE_MONKEY_NETWORK,
timestamp=telemetry_json['timestamp']
)
]
status = STATUS_POSITIVE
if telemetry_json['data']['result']:
events.append(
Event.create_event(
title="Exploit success!",
message="Monkey on {} successfully exploited {} using {}.".format(
current_monkey.hostname,
telemetry_json['data']['machine']['ip_addr'],
telemetry_json['data']['exploiter']),
event_type=EVENT_TYPE_MONKEY_NETWORK,
timestamp=telemetry_json['timestamp'])
)
status = STATUS_CONCLUSIVE
Finding.save_finding(
test=TEST_MACHINE_EXPLOITED,
status=status,
events=events
)
Finding.save_finding(
test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
status=STATUS_INCONCLUSIVE,
events=events
)