Added machine exploited ZT test

2019-08-22 14:40:05 +03:00 · 2019-08-22 14:40:05 +03:00 · bf417ab01d
parent bd97c965f1
commit bf417ab01d
3 changed files with 66 additions and 14 deletions
--- a/monkey/common/data/zero_trust_consts.py
+++ b/monkey/common/data/zero_trust_consts.py
@ -91,7 +91,7 @@ TESTS_MAP = {
        TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.",
        FINDING_EXPLANATION_BY_STATUS_KEY: {
            STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
-            STATUS_INCONCLUSIVE: "Monkey tried exploiting endpoints. Check IDS/IPS logs to see activity recognized."
+            STATUS_POSITIVE: "Monkey didn't manage to exploit an endpoint."
        },
        DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
        PILLARS_KEY: [DEVICES],
--- a/monkey/monkey_island/cc/services/telemetry/processing/exploit.py
+++ b/monkey/monkey_island/cc/services/telemetry/processing/exploit.py
@ -7,26 +7,18 @@ from monkey_island.cc.encryptor import encryptor
 from monkey_island.cc.services.edge import EdgeService
 from monkey_island.cc.services.node import NodeService
 from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
+from monkey_island.cc.services.telemetry.zero_trust_tests.machine_exploited import test_machine_exploited


 def process_exploit_telemetry(telemetry_json):
    edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
    encrypt_exploit_creds(telemetry_json)
-    telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
-    telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
+    update_edge_info_with_new_exploit(edge, telemetry_json)
+    update_node_credentials_from_successful_attempts(edge, telemetry_json)
+    test_machine_exploited(telemetry_json)

-    new_exploit = copy.deepcopy(telemetry_json['data'])
-
-    new_exploit.pop('machine')
-    new_exploit['timestamp'] = telemetry_json['timestamp']
-
-    mongo.db.edge.update(
-        {'_id': edge['_id']},
-        {'$push': {'exploits': new_exploit}}
-    )
-    if new_exploit['result']:
-        EdgeService.set_edge_exploited(edge)

+def update_node_credentials_from_successful_attempts(edge, telemetry_json):
    for attempt in telemetry_json['data']['attempts']:
        if attempt['result']:
            found_creds = {'user': attempt['user']}
@ -36,6 +28,20 @@ def process_exploit_telemetry(telemetry_json):
            NodeService.add_credentials_to_node(edge['to'], found_creds)


+def update_edge_info_with_new_exploit(edge, telemetry_json):
+    telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
+    telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
+    new_exploit = copy.deepcopy(telemetry_json['data'])
+    new_exploit.pop('machine')
+    new_exploit['timestamp'] = telemetry_json['timestamp']
+    mongo.db.edge.update(
+        {'_id': edge['_id']},
+        {'$push': {'exploits': new_exploit}}
+    )
+    if new_exploit['result']:
+        EdgeService.set_edge_exploited(edge)
+
+
 def encrypt_exploit_creds(telemetry_json):
    attempts = telemetry_json['data']['attempts']
    for i in range(len(attempts)):
--- a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/machine_exploited.py
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/machine_exploited.py
@ -0,0 +1,46 @@
+from common.data.zero_trust_consts import *
+from monkey_island.cc.models import Monkey
+from monkey_island.cc.models.zero_trust.event import Event
+from monkey_island.cc.models.zero_trust.finding import Finding
+
+
+def test_machine_exploited(telemetry_json):
+    current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
+    events = [
+        Event.create_event(
+            title="Exploit attempt",
+            message="Monkey on {} attempted to exploit {} using {}.".format(
+                current_monkey.hostname,
+                telemetry_json['data']['machine']['ip_addr'],
+                telemetry_json['data']['exploiter']),
+            event_type=EVENT_TYPE_MONKEY_NETWORK,
+            timestamp=telemetry_json['timestamp']
+        )
+    ]
+
+    status = STATUS_POSITIVE
+
+    if telemetry_json['data']['result']:
+        events.append(
+            Event.create_event(
+                title="Exploit success!",
+                message="Monkey on {} successfully exploited {} using {}.".format(
+                    current_monkey.hostname,
+                    telemetry_json['data']['machine']['ip_addr'],
+                    telemetry_json['data']['exploiter']),
+                event_type=EVENT_TYPE_MONKEY_NETWORK,
+                timestamp=telemetry_json['timestamp'])
+        )
+        status = STATUS_CONCLUSIVE
+
+    Finding.save_finding(
+        test=TEST_MACHINE_EXPLOITED,
+        status=status,
+        events=events
+    )
+
+    Finding.save_finding(
+        test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
+        status=STATUS_INCONCLUSIVE,
+        events=events
+    )