diff --git a/.swm/OwcKMnALpn7tuBaJY1US.swm b/.swm/OwcKMnALpn7tuBaJY1US.swm index 0e87dd5e9..d99d6473c 100644 --- a/.swm/OwcKMnALpn7tuBaJY1US.swm +++ b/.swm/OwcKMnALpn7tuBaJY1US.swm @@ -14,7 +14,7 @@ "content": [ { "type": "text", - "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List, Netstat and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**" + "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**" }, { "type": "snippet", diff --git a/CHANGELOG.md b/CHANGELOG.md index 16c53a610..8bedf32b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,8 +15,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/). ### Removed - The VSFTPD exploiter. #1533 - Manual agent run command for CMD. #1570 -- Sambacry exploiter #1567 +- Sambacry exploiter. #1567 - "Kill file" option in the config. #1536 +- Netstat collector, because network connection information wasn't used anywhere. #1535 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545 diff --git a/monkey/infection_monkey/system_info/__init__.py b/monkey/infection_monkey/system_info/__init__.py index 7d0659926..830a741f1 100644 --- a/monkey/infection_monkey/system_info/__init__.py +++ b/monkey/infection_monkey/system_info/__init__.py @@ -7,7 +7,6 @@ import psutil from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR from infection_monkey.network.info import get_host_subnets from infection_monkey.system_info.azure_cred_collector import AzureCollector -from infection_monkey.system_info.netstat_collector import NetstatCollector from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler logger = logging.getLogger(__name__) @@ -72,15 +71,12 @@ class InfoCollector(object): def get_network_info(self): """ Adds network information from the host to the system information. - Currently updates with netstat and a list of networks accessible from host + Currently updates with list of networks accessible from host containing host ip and the subnet range :return: None. Updates class information """ logger.debug("Reading subnets") - self.info["network_info"] = { - "networks": get_host_subnets(), - "netstat": NetstatCollector.get_netstat_info(), - } + self.info["network_info"] = {"networks": get_host_subnets()} def get_azure_info(self): """ diff --git a/monkey/infection_monkey/system_info/netstat_collector.py b/monkey/infection_monkey/system_info/netstat_collector.py deleted file mode 100644 index 1f28123dc..000000000 --- a/monkey/infection_monkey/system_info/netstat_collector.py +++ /dev/null @@ -1,42 +0,0 @@ -# Inspired by Giampaolo Rodola's psutil example from -# https://github.com/giampaolo/psutil/blob/master/scripts/netstat.py - -import logging -import socket -from socket import AF_INET, SOCK_DGRAM, SOCK_STREAM - -import psutil - -logger = logging.getLogger(__name__) - - -class NetstatCollector(object): - """ - Extract netstat info - """ - - AF_INET6 = getattr(socket, "AF_INET6", object()) - - proto_map = { - (AF_INET, SOCK_STREAM): "tcp", - (AF_INET6, SOCK_STREAM): "tcp6", - (AF_INET, SOCK_DGRAM): "udp", - (AF_INET6, SOCK_DGRAM): "udp6", - } - - @staticmethod - def get_netstat_info(): - logger.info("Collecting netstat info") - return [NetstatCollector._parse_connection(c) for c in psutil.net_connections(kind="inet")] - - @staticmethod - def _parse_connection(c): - return { - "proto": NetstatCollector.proto_map[(c.family, c.type)], - "local_address": c.laddr[0], - "local_port": c.laddr[1], - "remote_address": c.raddr[0] if c.raddr else None, - "remote_port": c.raddr[1] if c.raddr else None, - "status": c.status, - "pid": c.pid, - } diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py index 240b38b18..13f5385f3 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py @@ -16,21 +16,13 @@ class T1016(AttackTechnique): "$project": { "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "networks": "$data.network_info.networks", - "netstat": "$data.network_info.netstat", } }, { "$addFields": { "_id": 0, - "netstat": 0, "networks": 0, "info": [ - { - "used": { - "$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$netstat", {}]}] - }, - "name": {"$literal": "Network connections (netstat)"}, - }, { "used": { "$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index 5d5246187..3aaa92c96 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -16,7 +16,6 @@ class T1082(AttackTechnique): "$project": { "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "aws": "$data.aws", - "netstat": "$data.network_info.netstat", "process_list": "$data.process_list", "ssh_info": "$data.ssh_info", "azure_info": "$data.Azure", @@ -28,7 +27,7 @@ class T1082(AttackTechnique): "machine": 1, "collections": [ { - "used": {"$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$aws", {}]}]}, + "used": {"$and": [{"$gt": ["$aws", {}]}]}, "name": {"$literal": "Amazon Web Services info"}, }, { @@ -40,12 +39,6 @@ class T1082(AttackTechnique): }, "name": {"$literal": "Running process list"}, }, - { - "used": { - "$and": [{"$ifNull": ["$netstat", False]}, {"$ne": ["$netstat", []]}] - }, - "name": {"$literal": "Network connections"}, - }, { "used": { "$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}] @@ -61,6 +54,7 @@ class T1082(AttackTechnique): }, "name": {"$literal": "Azure info"}, }, + {"used": True, "name": {"$literal": "Network interfaces"}}, ], } },