From 9220cd2f5bbb5945738dec1e3a9ea25015fa00b0 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 11 Nov 2021 15:27:24 +0200 Subject: [PATCH 1/4] Swimm: remove netstat system info collector references --- .swm/OwcKMnALpn7tuBaJY1US.swm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.swm/OwcKMnALpn7tuBaJY1US.swm b/.swm/OwcKMnALpn7tuBaJY1US.swm index 0e87dd5e9..d99d6473c 100644 --- a/.swm/OwcKMnALpn7tuBaJY1US.swm +++ b/.swm/OwcKMnALpn7tuBaJY1US.swm @@ -14,7 +14,7 @@ "content": [ { "type": "text", - "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List, Netstat and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**" + "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**" }, { "type": "snippet", From 9e3ac63090d1b0ee1b7c9957c35b1c1e10d5429b Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 11 Nov 2021 15:33:50 +0200 Subject: [PATCH 2/4] Agent, Island: remove netstat collector and references --- .../infection_monkey/system_info/__init__.py | 8 +--- .../system_info/netstat_collector.py | 42 ------------------- .../attack/technique_reports/T1016.py | 8 ---- .../attack/technique_reports/T1082.py | 9 +--- 4 files changed, 3 insertions(+), 64 deletions(-) delete mode 100644 monkey/infection_monkey/system_info/netstat_collector.py diff --git a/monkey/infection_monkey/system_info/__init__.py b/monkey/infection_monkey/system_info/__init__.py index 7d0659926..830a741f1 100644 --- a/monkey/infection_monkey/system_info/__init__.py +++ b/monkey/infection_monkey/system_info/__init__.py @@ -7,7 +7,6 @@ import psutil from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR from infection_monkey.network.info import get_host_subnets from infection_monkey.system_info.azure_cred_collector import AzureCollector -from infection_monkey.system_info.netstat_collector import NetstatCollector from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler logger = logging.getLogger(__name__) @@ -72,15 +71,12 @@ class InfoCollector(object): def get_network_info(self): """ Adds network information from the host to the system information. - Currently updates with netstat and a list of networks accessible from host + Currently updates with list of networks accessible from host containing host ip and the subnet range :return: None. Updates class information """ logger.debug("Reading subnets") - self.info["network_info"] = { - "networks": get_host_subnets(), - "netstat": NetstatCollector.get_netstat_info(), - } + self.info["network_info"] = {"networks": get_host_subnets()} def get_azure_info(self): """ diff --git a/monkey/infection_monkey/system_info/netstat_collector.py b/monkey/infection_monkey/system_info/netstat_collector.py deleted file mode 100644 index 1f28123dc..000000000 --- a/monkey/infection_monkey/system_info/netstat_collector.py +++ /dev/null @@ -1,42 +0,0 @@ -# Inspired by Giampaolo Rodola's psutil example from -# https://github.com/giampaolo/psutil/blob/master/scripts/netstat.py - -import logging -import socket -from socket import AF_INET, SOCK_DGRAM, SOCK_STREAM - -import psutil - -logger = logging.getLogger(__name__) - - -class NetstatCollector(object): - """ - Extract netstat info - """ - - AF_INET6 = getattr(socket, "AF_INET6", object()) - - proto_map = { - (AF_INET, SOCK_STREAM): "tcp", - (AF_INET6, SOCK_STREAM): "tcp6", - (AF_INET, SOCK_DGRAM): "udp", - (AF_INET6, SOCK_DGRAM): "udp6", - } - - @staticmethod - def get_netstat_info(): - logger.info("Collecting netstat info") - return [NetstatCollector._parse_connection(c) for c in psutil.net_connections(kind="inet")] - - @staticmethod - def _parse_connection(c): - return { - "proto": NetstatCollector.proto_map[(c.family, c.type)], - "local_address": c.laddr[0], - "local_port": c.laddr[1], - "remote_address": c.raddr[0] if c.raddr else None, - "remote_port": c.raddr[1] if c.raddr else None, - "status": c.status, - "pid": c.pid, - } diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py index 240b38b18..13f5385f3 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py @@ -16,21 +16,13 @@ class T1016(AttackTechnique): "$project": { "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "networks": "$data.network_info.networks", - "netstat": "$data.network_info.netstat", } }, { "$addFields": { "_id": 0, - "netstat": 0, "networks": 0, "info": [ - { - "used": { - "$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$netstat", {}]}] - }, - "name": {"$literal": "Network connections (netstat)"}, - }, { "used": { "$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index 5d5246187..1acbbcfff 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -16,7 +16,6 @@ class T1082(AttackTechnique): "$project": { "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"}, "aws": "$data.aws", - "netstat": "$data.network_info.netstat", "process_list": "$data.process_list", "ssh_info": "$data.ssh_info", "azure_info": "$data.Azure", @@ -28,7 +27,7 @@ class T1082(AttackTechnique): "machine": 1, "collections": [ { - "used": {"$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$aws", {}]}]}, + "used": {"$and": [{"$gt": ["$aws", {}]}]}, "name": {"$literal": "Amazon Web Services info"}, }, { @@ -40,12 +39,6 @@ class T1082(AttackTechnique): }, "name": {"$literal": "Running process list"}, }, - { - "used": { - "$and": [{"$ifNull": ["$netstat", False]}, {"$ne": ["$netstat", []]}] - }, - "name": {"$literal": "Network connections"}, - }, { "used": { "$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}] From a451764a6fc914482d43d85647860a32cf139f83 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 12 Nov 2021 11:52:21 +0200 Subject: [PATCH 3/4] Island: fix ATT&CK report T1082 technique to display that at least data about Network interfaces was gathered. Otherwise the "Info gathered" column might be empty. --- .../monkey_island/cc/services/attack/technique_reports/T1082.py | 1 + 1 file changed, 1 insertion(+) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index 1acbbcfff..3aaa92c96 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -54,6 +54,7 @@ class T1082(AttackTechnique): }, "name": {"$literal": "Azure info"}, }, + {"used": True, "name": {"$literal": "Network interfaces"}}, ], } }, From 435f52a6586fcb7939e8f6b5ea4581349cbe1323 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 12 Nov 2021 14:09:07 +0200 Subject: [PATCH 4/4] Changelog: add entry about removed netstat collector --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 995232e80..fb965f029 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,8 +13,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/). ### Removed - The VSFTPD exploiter. #1533 - Manual agent run command for CMD. #1570 -- Sambacry exploiter #1567 +- Sambacry exploiter. #1567 - "Kill file" option in the config. #1536 +- Netstat collector, because network connection information wasn't used anywhere. #1535 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545