From 3734cb007e30457944610b5ff9b11621364bf961 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Tue, 1 Mar 2022 14:34:43 +0200 Subject: [PATCH 1/3] Island: change T1016 to format results from Monkey document Previously T1016 pulled results from system info telemetries, but system info telemetries are deprecated and network information is stored on monkey documents --- .../attack/technique_reports/T1016.py | 42 +++++++------------ 1 file changed, 15 insertions(+), 27 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py index 988515026..038e51d9b 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py @@ -1,5 +1,5 @@ from common.utils.attack_utils import ScanStatus -from monkey_island.cc.database import mongo +from monkey_island.cc.models import Monkey from monkey_island.cc.services.attack.technique_reports import AttackTechnique @@ -10,35 +10,12 @@ class T1016(AttackTechnique): scanned_msg = "" used_msg = "Monkey gathered network configurations on systems in the network." - query = [ - {"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}}, - { - "$project": { - "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, - "networks": "$data.network_info.networks", - } - }, - { - "$addFields": { - "_id": 0, - "networks": 0, - "info": [ - { - "used": { - "$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}] - }, - "name": {"$literal": "Network interface info"}, - }, - ], - } - }, - ] - @staticmethod def get_report_data(): def get_technique_status_and_data(): - network_info = list(mongo.db.telemetry.aggregate(T1016.query)) - status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value + network_info = T1016._get_network_info() + used_info = [entry for entry in network_info if entry["info"][0]["used"]] + status = ScanStatus.USED.value if used_info else ScanStatus.UNSCANNED.value return (status, network_info) status, network_info = get_technique_status_and_data() @@ -46,3 +23,14 @@ class T1016(AttackTechnique): data = T1016.get_base_data_by_status(status) data.update({"network_info": network_info}) return data + + @staticmethod + def _get_network_info(): + network_info = [] + for monkey in Monkey.objects(): + entry = {"machine": {"hostname": monkey.hostname, "ips": monkey.ip_addresses}} + info = [{"used": bool(monkey.networks), "name": "Network interface info"}] + entry["info"] = info + network_info.append(entry) + + return network_info From 4e1fc525ae765f80098cde217f608c2219531a99 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Tue, 1 Mar 2022 16:04:11 +0200 Subject: [PATCH 2/3] Island: remove T1082 attack technique This attack technique gathered data from deprecated system info telemetries. This attack technique needs to be reworked and perhaps it's better to have a single, dedicated and controlable system info gathering procedure --- .../cc/services/attack/attack_report.py | 2 - .../cc/services/attack/attack_schema.py | 14 +- .../attack/technique_reports/T1082.py | 120 ------------------ .../definitions/post_breach_actions.py | 1 - .../src/components/attack/techniques/T1082.js | 50 -------- 5 files changed, 2 insertions(+), 185 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/attack/technique_reports/T1082.py delete mode 100644 monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py index 3fb3f4c32..96a840cf9 100644 --- a/monkey/monkey_island/cc/services/attack/attack_report.py +++ b/monkey/monkey_island/cc/services/attack/attack_report.py @@ -16,7 +16,6 @@ from monkey_island.cc.services.attack.technique_reports import ( T1064, T1065, T1075, - T1082, T1086, T1087, T1090, @@ -54,7 +53,6 @@ TECHNIQUES = { "T1003": T1003.T1003, "T1059": T1059.T1059, "T1086": T1086.T1086, - "T1082": T1082.T1082, "T1145": T1145.T1145, "T1065": T1065.T1065, "T1105": T1105.T1105, diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index dca2a1513..7ff959474 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -249,21 +249,11 @@ SCHEMA = { "hostname, or other logical identifier on a network for lateral" " movement.", }, - "T1082": { - "title": "System information discovery", - "type": "bool", - "link": "https://attack.mitre.org/techniques/T1082", - "depends_on": ["T1016", "T1005"], - "description": "An adversary may attempt to get detailed information about the " - "operating system and hardware, including version, patches, " - "hotfixes, " - "service packs, and architecture.", - }, "T1016": { "title": "System network configuration discovery", "type": "bool", "link": "https://attack.mitre.org/techniques/T1016", - "depends_on": ["T1005", "T1082"], + "depends_on": ["T1005"], "description": "Adversaries will likely look for details about the network " "configuration " "and settings of systems they access or through information " @@ -322,7 +312,7 @@ SCHEMA = { "title": "Data from local system", "type": "bool", "link": "https://attack.mitre.org/techniques/T1005", - "depends_on": ["T1016", "T1082"], + "depends_on": ["T1016"], "description": "Sensitive data can be collected from local system sources, " "such as the file system " "or databases of information residing on the system prior to " diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py deleted file mode 100644 index 4c79916ef..000000000 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ /dev/null @@ -1,120 +0,0 @@ -from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION -from common.utils.attack_utils import ScanStatus -from monkey_island.cc.database import mongo -from monkey_island.cc.services.attack.technique_reports import AttackTechnique - - -class T1082(AttackTechnique): - tech_id = "T1082" - relevant_systems = ["Linux", "Windows"] - unscanned_msg = "Monkey didn't gather any system info on the network." - scanned_msg = "Monkey tried gathering system info on the network but failed." - used_msg = "Monkey gathered system info from machines in the network." - # TODO: Remove the second item from this list after the TODO in `_run_pba()` in - # `automated_master.py` is resolved. - pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"] - - query_for_system_info_collectors = [ - {"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}}, - { - "$project": { - "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, - "aws": "$data.aws", - "ssh_info": "$data.ssh_info", - "azure_info": "$data.Azure", - } - }, - { - "$project": { - "_id": 0, - "machine": 1, - "collections": [ - { - "used": {"$and": [{"$gt": ["$aws", {}]}]}, - "name": {"$literal": "Amazon Web Services info"}, - }, - { - "used": { - "$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}] - }, - "name": {"$literal": "SSH info"}, - }, - { - "used": { - "$and": [ - {"$ifNull": ["$azure_info", False]}, - {"$ne": ["$azure_info", []]}, - ] - }, - "name": {"$literal": "Azure info"}, - }, - {"used": True, "name": {"$literal": "Network interfaces"}}, - ], - } - }, - {"$group": {"_id": {"machine": "$machine", "collections": "$collections"}}}, - {"$replaceRoot": {"newRoot": "$_id"}}, - ] - - query_for_running_processes_list = [ - { - "$match": { - "$and": [ - {"telem_category": "post_breach"}, - {"$or": [{"data.name": pba_name} for pba_name in pba_names]}, - {"$or": [{"data.os": os} for os in relevant_systems]}, - ] - } - }, - { - "$project": { - "_id": 0, - "machine": { - "hostname": {"$arrayElemAt": ["$data.hostname", 0]}, - "ips": [{"$arrayElemAt": ["$data.ip", 0]}], - }, - "collections": [ - { - "used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]}, - "name": {"$literal": "List of running processes"}, - } - ], - } - }, - ] - - @staticmethod - def get_report_data(): - def get_technique_status_and_data(): - system_info_data = list( - mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors) - ) - system_info_status = ( - ScanStatus.USED.value if system_info_data else ScanStatus.UNSCANNED.value - ) - - pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_running_processes_list)) - successful_PBAs = mongo.db.telemetry.count( - { - "$and": [ - {"$or": [{"data.name": pba_name} for pba_name in T1082.pba_names]}, - {"$or": [{"data.os": os} for os in T1082.relevant_systems]}, - {"data.result.1": True}, - ] - } - ) - pba_status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value - - technique_data = system_info_data + pba_data - # ScanStatus values are in order of precedence; used > scanned > unscanned - technique_status = max(system_info_status, pba_status) - - return (technique_status, technique_data) - - status, technique_data = get_technique_status_and_data() - data = {"title": T1082.technique_title()} - data.update({"technique_data": technique_data}) - - data.update(T1082.get_mitigation_by_status(status)) - data.update(T1082.get_message_and_status(status)) - return data diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py index e76b2c254..d6831ed63 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py @@ -100,7 +100,6 @@ POST_BREACH_ACTIONS = { "title": "Process List Collector", "safe": True, "info": "Collects a list of running processes on the machine.", - "attack_techniques": ["T1082"], }, ], } diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js deleted file mode 100644 index a82adcf09..000000000 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js +++ /dev/null @@ -1,50 +0,0 @@ -import React from 'react'; -import ReactTable from 'react-table'; -import {renderMachineFromSystemData, renderUsageFields, ScanStatus} from './Helpers' -import MitigationsComponent from './MitigationsComponent'; - - -class T1082 extends React.Component { - - constructor(props) { - super(props); - } - - static getSystemInfoColumns() { - return ([{ - columns: [ - { - Header: 'Machine', - id: 'machine', - accessor: x => renderMachineFromSystemData(x.machine), - style: {'whiteSpace': 'unset'} - }, - { - Header: 'Gathered info', - id: 'info', - accessor: x => renderUsageFields(x.collections), - style: {'whiteSpace': 'unset'} - } - ] - }]) - } - - render() { - return ( -
-
{this.props.data.message_html}
-
- {this.props.data.status === ScanStatus.USED ? - : ''} - -
- ); - } -} - -export default T1082; From 458b2121cd32e4ef16a003df2566c6963694ee13 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Tue, 1 Mar 2022 16:16:06 +0200 Subject: [PATCH 3/3] Changelog: added entry for removed T1082 attack technique report --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72eadb615..b40f94bcf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - Zero Trust integration with ScoutSuite. #1669 - ShellShock exploiter. #1733 - ElasticGroovy exploiter. #1732 +- T1082 attack technique report. #1754 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545