forked from p15670423/monkey
Added machine exploited ZT test
This commit is contained in:
parent
bd97c965f1
commit
bf417ab01d
|
@ -91,7 +91,7 @@ TESTS_MAP = {
|
||||||
TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.",
|
TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.",
|
||||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||||
STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
|
STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
|
||||||
STATUS_INCONCLUSIVE: "Monkey tried exploiting endpoints. Check IDS/IPS logs to see activity recognized."
|
STATUS_POSITIVE: "Monkey didn't manage to exploit an endpoint."
|
||||||
},
|
},
|
||||||
DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
|
DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
|
||||||
PILLARS_KEY: [DEVICES],
|
PILLARS_KEY: [DEVICES],
|
||||||
|
|
|
@ -7,26 +7,18 @@ from monkey_island.cc.encryptor import encryptor
|
||||||
from monkey_island.cc.services.edge import EdgeService
|
from monkey_island.cc.services.edge import EdgeService
|
||||||
from monkey_island.cc.services.node import NodeService
|
from monkey_island.cc.services.node import NodeService
|
||||||
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
|
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
|
||||||
|
from monkey_island.cc.services.telemetry.zero_trust_tests.machine_exploited import test_machine_exploited
|
||||||
|
|
||||||
|
|
||||||
def process_exploit_telemetry(telemetry_json):
|
def process_exploit_telemetry(telemetry_json):
|
||||||
edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
|
edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
|
||||||
encrypt_exploit_creds(telemetry_json)
|
encrypt_exploit_creds(telemetry_json)
|
||||||
telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
|
update_edge_info_with_new_exploit(edge, telemetry_json)
|
||||||
telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
|
update_node_credentials_from_successful_attempts(edge, telemetry_json)
|
||||||
|
test_machine_exploited(telemetry_json)
|
||||||
|
|
||||||
new_exploit = copy.deepcopy(telemetry_json['data'])
|
|
||||||
|
|
||||||
new_exploit.pop('machine')
|
|
||||||
new_exploit['timestamp'] = telemetry_json['timestamp']
|
|
||||||
|
|
||||||
mongo.db.edge.update(
|
|
||||||
{'_id': edge['_id']},
|
|
||||||
{'$push': {'exploits': new_exploit}}
|
|
||||||
)
|
|
||||||
if new_exploit['result']:
|
|
||||||
EdgeService.set_edge_exploited(edge)
|
|
||||||
|
|
||||||
|
def update_node_credentials_from_successful_attempts(edge, telemetry_json):
|
||||||
for attempt in telemetry_json['data']['attempts']:
|
for attempt in telemetry_json['data']['attempts']:
|
||||||
if attempt['result']:
|
if attempt['result']:
|
||||||
found_creds = {'user': attempt['user']}
|
found_creds = {'user': attempt['user']}
|
||||||
|
@ -36,6 +28,20 @@ def process_exploit_telemetry(telemetry_json):
|
||||||
NodeService.add_credentials_to_node(edge['to'], found_creds)
|
NodeService.add_credentials_to_node(edge['to'], found_creds)
|
||||||
|
|
||||||
|
|
||||||
|
def update_edge_info_with_new_exploit(edge, telemetry_json):
|
||||||
|
telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
|
||||||
|
telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
|
||||||
|
new_exploit = copy.deepcopy(telemetry_json['data'])
|
||||||
|
new_exploit.pop('machine')
|
||||||
|
new_exploit['timestamp'] = telemetry_json['timestamp']
|
||||||
|
mongo.db.edge.update(
|
||||||
|
{'_id': edge['_id']},
|
||||||
|
{'$push': {'exploits': new_exploit}}
|
||||||
|
)
|
||||||
|
if new_exploit['result']:
|
||||||
|
EdgeService.set_edge_exploited(edge)
|
||||||
|
|
||||||
|
|
||||||
def encrypt_exploit_creds(telemetry_json):
|
def encrypt_exploit_creds(telemetry_json):
|
||||||
attempts = telemetry_json['data']['attempts']
|
attempts = telemetry_json['data']['attempts']
|
||||||
for i in range(len(attempts)):
|
for i in range(len(attempts)):
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
from common.data.zero_trust_consts import *
|
||||||
|
from monkey_island.cc.models import Monkey
|
||||||
|
from monkey_island.cc.models.zero_trust.event import Event
|
||||||
|
from monkey_island.cc.models.zero_trust.finding import Finding
|
||||||
|
|
||||||
|
|
||||||
|
def test_machine_exploited(telemetry_json):
|
||||||
|
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||||
|
events = [
|
||||||
|
Event.create_event(
|
||||||
|
title="Exploit attempt",
|
||||||
|
message="Monkey on {} attempted to exploit {} using {}.".format(
|
||||||
|
current_monkey.hostname,
|
||||||
|
telemetry_json['data']['machine']['ip_addr'],
|
||||||
|
telemetry_json['data']['exploiter']),
|
||||||
|
event_type=EVENT_TYPE_MONKEY_NETWORK,
|
||||||
|
timestamp=telemetry_json['timestamp']
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
status = STATUS_POSITIVE
|
||||||
|
|
||||||
|
if telemetry_json['data']['result']:
|
||||||
|
events.append(
|
||||||
|
Event.create_event(
|
||||||
|
title="Exploit success!",
|
||||||
|
message="Monkey on {} successfully exploited {} using {}.".format(
|
||||||
|
current_monkey.hostname,
|
||||||
|
telemetry_json['data']['machine']['ip_addr'],
|
||||||
|
telemetry_json['data']['exploiter']),
|
||||||
|
event_type=EVENT_TYPE_MONKEY_NETWORK,
|
||||||
|
timestamp=telemetry_json['timestamp'])
|
||||||
|
)
|
||||||
|
status = STATUS_CONCLUSIVE
|
||||||
|
|
||||||
|
Finding.save_finding(
|
||||||
|
test=TEST_MACHINE_EXPLOITED,
|
||||||
|
status=status,
|
||||||
|
events=events
|
||||||
|
)
|
||||||
|
|
||||||
|
Finding.save_finding(
|
||||||
|
test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
|
||||||
|
status=STATUS_INCONCLUSIVE,
|
||||||
|
events=events
|
||||||
|
)
|
Loading…
Reference in New Issue