forked from p15670423/monkey
Merge pull request #693 from shreyamalviya/mongo-search-T1136
Use mongo search for T1136's report data
This commit is contained in:
commit
8c255ece06
|
@ -1,5 +1,5 @@
|
|||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
from monkey_island.cc.services.reporting.report import ReportService
|
||||
from monkey_island.cc.database import mongo
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
|
||||
|
@ -12,27 +12,27 @@ class T1136(AttackTechnique):
|
|||
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
|
||||
used_msg = "Monkey created a new user on the network's systems."
|
||||
|
||||
query = [{'$match': {'telem_category': 'post_breach',
|
||||
'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
|
||||
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}},
|
||||
{'$project': {'_id': 0,
|
||||
'machine': {'hostname': '$data.hostname',
|
||||
'ips': ['$data.ip']},
|
||||
'result': '$data.result'}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = {'title': T1136.technique_title()}
|
||||
|
||||
scanned_nodes = ReportService.get_scanned()
|
||||
create_user_info = list(mongo.db.telemetry.aggregate(T1136.query))
|
||||
|
||||
status = ScanStatus.UNSCANNED.value
|
||||
for node in scanned_nodes:
|
||||
if node['pba_results'] != 'None':
|
||||
for pba in node['pba_results']:
|
||||
if pba['name'] in [POST_BREACH_BACKDOOR_USER,
|
||||
POST_BREACH_COMMUNICATE_AS_NEW_USER]:
|
||||
status = ScanStatus.USED.value if pba['result'][1]\
|
||||
else ScanStatus.SCANNED.value
|
||||
data.update({
|
||||
'info': [{
|
||||
'machine': {
|
||||
'hostname': pba['hostname'],
|
||||
'ips': node['ip_addresses'],
|
||||
},
|
||||
'result': ': '.join([pba['name'], pba['result'][0]])
|
||||
}]
|
||||
})
|
||||
if create_user_info:
|
||||
successful_PBAs = mongo.db.telemetry.count({'$or': [{'data.name': POST_BREACH_BACKDOOR_USER},
|
||||
{'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}],
|
||||
'data.result.1': True})
|
||||
status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value
|
||||
|
||||
data.update(T1136.get_base_data_by_status(status))
|
||||
data.update({'info': create_user_info})
|
||||
return data
|
||||
|
|
Loading…
Reference in New Issue