forked from p15670423/monkey
Island: Move antivirus check for ZT report from system info processing to PBA processing
This commit is contained in:
parent
9d3931c380
commit
e674f9e0c0
|
@ -1,8 +1,14 @@
|
||||||
import copy
|
import copy
|
||||||
|
|
||||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
from common.common_consts.post_breach_consts import (
|
||||||
|
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER,
|
||||||
|
POST_BREACH_PROCESS_LIST_COLLECTION,
|
||||||
|
)
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.models import Monkey
|
from monkey_island.cc.models import Monkey
|
||||||
|
from monkey_island.cc.services.telemetry.zero_trust_checks.antivirus_existence import (
|
||||||
|
check_antivirus_existence,
|
||||||
|
)
|
||||||
from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_backdoor_user import (
|
from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_backdoor_user import (
|
||||||
check_new_user_communication,
|
check_new_user_communication,
|
||||||
)
|
)
|
||||||
|
@ -17,8 +23,17 @@ def process_communicate_as_backdoor_user_telemetry(telemetry_json):
|
||||||
check_new_user_communication(current_monkey, success, message)
|
check_new_user_communication(current_monkey, success, message)
|
||||||
|
|
||||||
|
|
||||||
|
def process_process_list_collection_telemetry(telemetry_json):
|
||||||
|
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json["monkey_guid"])
|
||||||
|
check_antivirus_existence(telemetry_json, current_monkey)
|
||||||
|
|
||||||
|
|
||||||
POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
|
POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
|
||||||
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER: process_communicate_as_backdoor_user_telemetry,
|
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER: process_communicate_as_backdoor_user_telemetry,
|
||||||
|
# TODO: Remove line 31 and un-comment line 32 after the TODO in `_run_pba()` in
|
||||||
|
# `automated_master.py` is resolved.
|
||||||
|
"ProcessListCollection": process_process_list_collection_telemetry,
|
||||||
|
# POST_BREACH_PROCESS_LIST_COLLECTION: process_process_list_collection_telemetry,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,10 @@
|
||||||
import logging
|
import logging
|
||||||
import typing
|
import typing
|
||||||
|
|
||||||
from monkey_island.cc.services.telemetry.zero_trust_checks.antivirus_existence import (
|
|
||||||
check_antivirus_existence,
|
|
||||||
)
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS = {}
|
SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS = {}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
import json
|
import json
|
||||||
|
|
||||||
import common.common_consts.zero_trust_consts as zero_trust_consts
|
import common.common_consts.zero_trust_consts as zero_trust_consts
|
||||||
from monkey_island.cc.models import Monkey
|
|
||||||
from monkey_island.cc.models.zero_trust.event import Event
|
from monkey_island.cc.models.zero_trust.event import Event
|
||||||
from monkey_island.cc.services.telemetry.zero_trust_checks.known_anti_viruses import (
|
from monkey_island.cc.services.telemetry.zero_trust_checks.known_anti_viruses import (
|
||||||
ANTI_VIRUS_KNOWN_PROCESS_NAMES,
|
ANTI_VIRUS_KNOWN_PROCESS_NAMES,
|
||||||
|
@ -11,9 +10,7 @@ from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_serv
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def check_antivirus_existence(process_list_json, monkey_guid):
|
def check_antivirus_existence(telemetry_json, current_monkey):
|
||||||
current_monkey = Monkey.get_single_monkey_by_guid(monkey_guid)
|
|
||||||
|
|
||||||
process_list_event = Event.create_event(
|
process_list_event = Event.create_event(
|
||||||
title="Process list",
|
title="Process list",
|
||||||
message="Monkey on {} scanned the process list".format(current_monkey.hostname),
|
message="Monkey on {} scanned the process list".format(current_monkey.hostname),
|
||||||
|
@ -21,7 +18,7 @@ def check_antivirus_existence(process_list_json, monkey_guid):
|
||||||
)
|
)
|
||||||
events = [process_list_event]
|
events = [process_list_event]
|
||||||
|
|
||||||
av_processes = filter_av_processes(process_list_json["process_list"])
|
av_processes = filter_av_processes(telemetry_json["data"]["result"][0])
|
||||||
|
|
||||||
for process in av_processes:
|
for process in av_processes:
|
||||||
events.append(
|
events.append(
|
||||||
|
|
Loading…
Reference in New Issue