Merge pull request #1754 from guardicore/1695-attack-changes

1695 attack changes
This commit is contained in:
Mike Salvatore 2022-03-01 09:46:30 -05:00 committed by GitHub
commit c33318646a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 18 additions and 212 deletions

View File

@ -47,6 +47,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
- Zero Trust integration with ScoutSuite. #1669 - Zero Trust integration with ScoutSuite. #1669
- ShellShock exploiter. #1733 - ShellShock exploiter. #1733
- ElasticGroovy exploiter. #1732 - ElasticGroovy exploiter. #1732
- T1082 attack technique report. #1754
### Fixed ### Fixed
- A bug in network map page that caused delay of telemetry log loading. #1545 - A bug in network map page that caused delay of telemetry log loading. #1545

View File

@ -16,7 +16,6 @@ from monkey_island.cc.services.attack.technique_reports import (
T1064, T1064,
T1065, T1065,
T1075, T1075,
T1082,
T1086, T1086,
T1087, T1087,
T1090, T1090,
@ -54,7 +53,6 @@ TECHNIQUES = {
"T1003": T1003.T1003, "T1003": T1003.T1003,
"T1059": T1059.T1059, "T1059": T1059.T1059,
"T1086": T1086.T1086, "T1086": T1086.T1086,
"T1082": T1082.T1082,
"T1145": T1145.T1145, "T1145": T1145.T1145,
"T1065": T1065.T1065, "T1065": T1065.T1065,
"T1105": T1105.T1105, "T1105": T1105.T1105,

View File

@ -249,21 +249,11 @@ SCHEMA = {
"hostname, or other logical identifier on a network for lateral" "hostname, or other logical identifier on a network for lateral"
" movement.", " movement.",
}, },
"T1082": {
"title": "System information discovery",
"type": "bool",
"link": "https://attack.mitre.org/techniques/T1082",
"depends_on": ["T1016", "T1005"],
"description": "An adversary may attempt to get detailed information about the "
"operating system and hardware, including version, patches, "
"hotfixes, "
"service packs, and architecture.",
},
"T1016": { "T1016": {
"title": "System network configuration discovery", "title": "System network configuration discovery",
"type": "bool", "type": "bool",
"link": "https://attack.mitre.org/techniques/T1016", "link": "https://attack.mitre.org/techniques/T1016",
"depends_on": ["T1005", "T1082"], "depends_on": ["T1005"],
"description": "Adversaries will likely look for details about the network " "description": "Adversaries will likely look for details about the network "
"configuration " "configuration "
"and settings of systems they access or through information " "and settings of systems they access or through information "
@ -322,7 +312,7 @@ SCHEMA = {
"title": "Data from local system", "title": "Data from local system",
"type": "bool", "type": "bool",
"link": "https://attack.mitre.org/techniques/T1005", "link": "https://attack.mitre.org/techniques/T1005",
"depends_on": ["T1016", "T1082"], "depends_on": ["T1016"],
"description": "Sensitive data can be collected from local system sources, " "description": "Sensitive data can be collected from local system sources, "
"such as the file system " "such as the file system "
"or databases of information residing on the system prior to " "or databases of information residing on the system prior to "

View File

@ -1,5 +1,5 @@
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports import AttackTechnique
@ -10,35 +10,12 @@ class T1016(AttackTechnique):
scanned_msg = "" scanned_msg = ""
used_msg = "Monkey gathered network configurations on systems in the network." used_msg = "Monkey gathered network configurations on systems in the network."
query = [
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
{
"$project": {
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
"networks": "$data.network_info.networks",
}
},
{
"$addFields": {
"_id": 0,
"networks": 0,
"info": [
{
"used": {
"$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}]
},
"name": {"$literal": "Network interface info"},
},
],
}
},
]
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
def get_technique_status_and_data(): def get_technique_status_and_data():
network_info = list(mongo.db.telemetry.aggregate(T1016.query)) network_info = T1016._get_network_info()
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value used_info = [entry for entry in network_info if entry["info"][0]["used"]]
status = ScanStatus.USED.value if used_info else ScanStatus.UNSCANNED.value
return (status, network_info) return (status, network_info)
status, network_info = get_technique_status_and_data() status, network_info = get_technique_status_and_data()
@ -46,3 +23,14 @@ class T1016(AttackTechnique):
data = T1016.get_base_data_by_status(status) data = T1016.get_base_data_by_status(status)
data.update({"network_info": network_info}) data.update({"network_info": network_info})
return data return data
@staticmethod
def _get_network_info():
network_info = []
for monkey in Monkey.objects():
entry = {"machine": {"hostname": monkey.hostname, "ips": monkey.ip_addresses}}
info = [{"used": bool(monkey.networks), "name": "Network interface info"}]
entry["info"] = info
network_info.append(entry)
return network_info

View File

@ -1,120 +0,0 @@
from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION
from common.utils.attack_utils import ScanStatus
from monkey_island.cc.database import mongo
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
class T1082(AttackTechnique):
tech_id = "T1082"
relevant_systems = ["Linux", "Windows"]
unscanned_msg = "Monkey didn't gather any system info on the network."
scanned_msg = "Monkey tried gathering system info on the network but failed."
used_msg = "Monkey gathered system info from machines in the network."
# TODO: Remove the second item from this list after the TODO in `_run_pba()` in
# `automated_master.py` is resolved.
pba_names = [POST_BREACH_PROCESS_LIST_COLLECTION, "ProcessListCollection"]
query_for_system_info_collectors = [
{"$match": {"telem_category": "system_info", "data.network_info": {"$exists": True}}},
{
"$project": {
"machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
"aws": "$data.aws",
"ssh_info": "$data.ssh_info",
"azure_info": "$data.Azure",
}
},
{
"$project": {
"_id": 0,
"machine": 1,
"collections": [
{
"used": {"$and": [{"$gt": ["$aws", {}]}]},
"name": {"$literal": "Amazon Web Services info"},
},
{
"used": {
"$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
},
"name": {"$literal": "SSH info"},
},
{
"used": {
"$and": [
{"$ifNull": ["$azure_info", False]},
{"$ne": ["$azure_info", []]},
]
},
"name": {"$literal": "Azure info"},
},
{"used": True, "name": {"$literal": "Network interfaces"}},
],
}
},
{"$group": {"_id": {"machine": "$machine", "collections": "$collections"}}},
{"$replaceRoot": {"newRoot": "$_id"}},
]
query_for_running_processes_list = [
{
"$match": {
"$and": [
{"telem_category": "post_breach"},
{"$or": [{"data.name": pba_name} for pba_name in pba_names]},
{"$or": [{"data.os": os} for os in relevant_systems]},
]
}
},
{
"$project": {
"_id": 0,
"machine": {
"hostname": {"$arrayElemAt": ["$data.hostname", 0]},
"ips": [{"$arrayElemAt": ["$data.ip", 0]}],
},
"collections": [
{
"used": {"$arrayElemAt": [{"$arrayElemAt": ["$data.result", 0]}, 1]},
"name": {"$literal": "List of running processes"},
}
],
}
},
]
@staticmethod
def get_report_data():
def get_technique_status_and_data():
system_info_data = list(
mongo.db.telemetry.aggregate(T1082.query_for_system_info_collectors)
)
system_info_status = (
ScanStatus.USED.value if system_info_data else ScanStatus.UNSCANNED.value
)
pba_data = list(mongo.db.telemetry.aggregate(T1082.query_for_running_processes_list))
successful_PBAs = mongo.db.telemetry.count(
{
"$and": [
{"$or": [{"data.name": pba_name} for pba_name in T1082.pba_names]},
{"$or": [{"data.os": os} for os in T1082.relevant_systems]},
{"data.result.1": True},
]
}
)
pba_status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
technique_data = system_info_data + pba_data
# ScanStatus values are in order of precedence; used > scanned > unscanned
technique_status = max(system_info_status, pba_status)
return (technique_status, technique_data)
status, technique_data = get_technique_status_and_data()
data = {"title": T1082.technique_title()}
data.update({"technique_data": technique_data})
data.update(T1082.get_mitigation_by_status(status))
data.update(T1082.get_message_and_status(status))
return data

View File

@ -100,7 +100,6 @@ POST_BREACH_ACTIONS = {
"title": "Process List Collector", "title": "Process List Collector",
"safe": True, "safe": True,
"info": "Collects a list of running processes on the machine.", "info": "Collects a list of running processes on the machine.",
"attack_techniques": ["T1082"],
}, },
], ],
} }

View File

@ -1,50 +0,0 @@
import React from 'react';
import ReactTable from 'react-table';
import {renderMachineFromSystemData, renderUsageFields, ScanStatus} from './Helpers'
import MitigationsComponent from './MitigationsComponent';
class T1082 extends React.Component {
constructor(props) {
super(props);
}
static getSystemInfoColumns() {
return ([{
columns: [
{
Header: 'Machine',
id: 'machine',
accessor: x => renderMachineFromSystemData(x.machine),
style: {'whiteSpace': 'unset'}
},
{
Header: 'Gathered info',
id: 'info',
accessor: x => renderUsageFields(x.collections),
style: {'whiteSpace': 'unset'}
}
]
}])
}
render() {
return (
<div>
<div>{this.props.data.message_html}</div>
<br/>
{this.props.data.status === ScanStatus.USED ?
<ReactTable
columns={T1082.getSystemInfoColumns()}
data={this.props.data.technique_data}
showPagination={false}
defaultPageSize={this.props.data.technique_data.length}
/> : ''}
<MitigationsComponent mitigations={this.props.data.mitigations}/>
</div>
);
}
}
export default T1082;