Change logic for checking technique status

This commit is contained in:
Shreya 2020-07-28 14:58:39 +05:30
parent 76aae1faec
commit 98ef46b4ec
16 changed files with 178 additions and 110 deletions

View File

@ -19,10 +19,15 @@ class T1003(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1003.technique_title()} data = {'title': T1003.technique_title()}
if not T1003.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
if mongo.db.telemetry.count_documents(T1003.query): if mongo.db.telemetry.count_documents(T1003.query):
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data.update(T1003.get_message_and_status(status)) data.update(T1003.get_message_and_status(status))
data.update(T1003.get_mitigation_by_status(status)) data.update(T1003.get_mitigation_by_status(status))
data['stolen_creds'] = ReportService.get_stolen_creds() data['stolen_creds'] = ReportService.get_stolen_creds()

View File

@ -27,8 +27,14 @@ class T1016(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
network_info = []
if not T1016.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
network_info = list(mongo.db.telemetry.aggregate(T1016.query)) network_info = list(mongo.db.telemetry.aggregate(T1016.query))
status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value status = ScanStatus.USED.value if network_info else ScanStatus.UNSCANNED.value
data = T1016.get_base_data_by_status(status) data = T1016.get_base_data_by_status(status)
data.update({'network_info': network_info}) data.update({'network_info': network_info})
return data return data

View File

@ -28,11 +28,17 @@ class T1018(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
scan_info = []
if not T1018.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
scan_info = list(mongo.db.telemetry.aggregate(T1018.query)) scan_info = list(mongo.db.telemetry.aggregate(T1018.query))
if scan_info: if scan_info:
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data = T1018.get_base_data_by_status(status) data = T1018.get_base_data_by_status(status)
data.update({'scan_info': scan_info}) data.update({'scan_info': scan_info})
return data return data

View File

@ -34,6 +34,10 @@ class T1021(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
attempts = [] attempts = []
if not T1021.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
if mongo.db.telemetry.count_documents(T1021.scanned_query): if mongo.db.telemetry.count_documents(T1021.scanned_query):
attempts = list(mongo.db.telemetry.aggregate(T1021.query)) attempts = list(mongo.db.telemetry.aggregate(T1021.query))
if attempts: if attempts:
@ -46,6 +50,7 @@ class T1021(AttackTechnique):
status = ScanStatus.SCANNED.value status = ScanStatus.SCANNED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data = T1021.get_base_data_by_status(status) data = T1021.get_base_data_by_status(status)
data.update({'services': attempts}) data.update({'services': attempts})
return data return data

View File

@ -13,6 +13,11 @@ class T1041(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
info = []
if not T1041.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
monkeys = list(Monkey.objects()) monkeys = list(Monkey.objects())
info = [{'src': monkey['command_control_channel']['src'], info = [{'src': monkey['command_control_channel']['src'],
'dst': monkey['command_control_channel']['dst']} 'dst': monkey['command_control_channel']['dst']}
@ -21,6 +26,7 @@ class T1041(AttackTechnique):
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data = T1041.get_base_data_by_status(status) data = T1041.get_base_data_by_status(status)
data.update({'command_control_channel': info}) data.update({'command_control_channel': info})
return data return data

View File

@ -23,12 +23,16 @@ class T1059(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
if not T1059.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
cmd_data = list(mongo.db.telemetry.aggregate(T1059.query)) cmd_data = list(mongo.db.telemetry.aggregate(T1059.query))
data = {'title': T1059.technique_title(), 'cmds': cmd_data} data = {'title': T1059.technique_title(), 'cmds': cmd_data}
if cmd_data: if cmd_data:
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data.update(T1059.get_message_and_status(status)) data.update(T1059.get_message_and_status(status))
data.update(T1059.get_mitigation_by_status(status)) data.update(T1059.get_mitigation_by_status(status))
return data return data

View File

@ -31,6 +31,10 @@ class T1075(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1075.technique_title()} data = {'title': T1075.technique_title()}
if not T1075.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
successful_logins = list(mongo.db.telemetry.aggregate(T1075.query)) successful_logins = list(mongo.db.telemetry.aggregate(T1075.query))
data.update({'successful_logins': successful_logins}) data.update({'successful_logins': successful_logins})
if successful_logins: if successful_logins:
@ -39,6 +43,7 @@ class T1075(AttackTechnique):
status = ScanStatus.SCANNED.value status = ScanStatus.SCANNED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data.update(T1075.get_message_and_status(status)) data.update(T1075.get_message_and_status(status))
data.update(T1075.get_mitigation_by_status(status)) data.update(T1075.get_mitigation_by_status(status))
return data return data

View File

@ -39,12 +39,17 @@ class T1082(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = {'title': T1082.technique_title()} data = {'title': T1082.technique_title()}
if not T1082.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
system_info = list(mongo.db.telemetry.aggregate(T1082.query)) system_info = list(mongo.db.telemetry.aggregate(T1082.query))
data.update({'system_info': system_info}) data.update({'system_info': system_info})
if system_info: if system_info:
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data.update(T1082.get_mitigation_by_status(status)) data.update(T1082.get_mitigation_by_status(status))
data.update(T1082.get_message_and_status(status)) data.update(T1082.get_message_and_status(status))
return data return data

View File

@ -25,6 +25,9 @@ class T1086(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
if not T1086.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
cmd_data = list(mongo.db.telemetry.aggregate(T1086.query)) cmd_data = list(mongo.db.telemetry.aggregate(T1086.query))
data = {'title': T1086.technique_title(), 'cmds': cmd_data} data = {'title': T1086.technique_title(), 'cmds': cmd_data}
if cmd_data: if cmd_data:

View File

@ -13,9 +13,15 @@ class T1090(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
monkeys = []
if not T1090.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
monkeys = Monkey.get_tunneled_monkeys() monkeys = Monkey.get_tunneled_monkeys()
monkeys = [monkey.get_network_info() for monkey in monkeys] monkeys = [monkey.get_network_info() for monkey in monkeys]
status = ScanStatus.USED.value if monkeys else ScanStatus.UNSCANNED.value status = ScanStatus.USED.value if monkeys else ScanStatus.UNSCANNED.value
data = T1090.get_base_data_by_status(status) data = T1090.get_base_data_by_status(status)
data.update({'proxies': monkeys}) data.update({'proxies': monkeys})
return data return data

View File

@ -26,6 +26,11 @@ class T1110(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
attempts = []
if not T1110.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
attempts = list(mongo.db.telemetry.aggregate(T1110.query)) attempts = list(mongo.db.telemetry.aggregate(T1110.query))
succeeded = False succeeded = False
@ -41,6 +46,7 @@ class T1110(AttackTechnique):
status = ScanStatus.SCANNED.value status = ScanStatus.SCANNED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data = T1110.get_base_data_by_status(status) data = T1110.get_base_data_by_status(status)
# Remove data with no successful brute force attempts # Remove data with no successful brute force attempts
attempts = [attempt for attempt in attempts if attempt['attempts']] attempts = [attempt for attempt in attempts if attempt['attempts']]

View File

@ -20,12 +20,17 @@ class T1145(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query)) ssh_info = []
if not T1145.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
ssh_info = list(mongo.db.telemetry.aggregate(T1145.query))
if ssh_info: if ssh_info:
status = ScanStatus.USED.value status = ScanStatus.USED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data = T1145.get_base_data_by_status(status) data = T1145.get_base_data_by_status(status)
data.update({'ssh_info': ssh_info}) data.update({'ssh_info': ssh_info})
return data return data

View File

@ -13,6 +13,11 @@ class T1188(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
hops = []
if not T1188.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
monkeys = Monkey.get_tunneled_monkeys() monkeys = Monkey.get_tunneled_monkeys()
hops = [] hops = []
for monkey in monkeys: for monkey in monkeys:
@ -26,6 +31,7 @@ class T1188(AttackTechnique):
'to': proxy.get_network_info(), 'to': proxy.get_network_info(),
'count': proxy_count}) 'count': proxy_count})
status = ScanStatus.USED.value if hops else ScanStatus.UNSCANNED.value status = ScanStatus.USED.value if hops else ScanStatus.UNSCANNED.value
data = T1188.get_base_data_by_status(status) data = T1188.get_base_data_by_status(status)
data.update({'hops': hops}) data.update({'hops': hops})
return data return data

View File

@ -13,7 +13,13 @@ class T1210(AttackTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
scanned_services = []
exploited_services = []
data = {'title': T1210.technique_title()} data = {'title': T1210.technique_title()}
if not T1210.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
scanned_services = T1210.get_scanned_services() scanned_services = T1210.get_scanned_services()
exploited_services = T1210.get_exploited_services() exploited_services = T1210.get_exploited_services()
if exploited_services: if exploited_services:
@ -22,6 +28,7 @@ class T1210(AttackTechnique):
status = ScanStatus.SCANNED.value status = ScanStatus.SCANNED.value
else: else:
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
data.update(T1210.get_message_and_status(status)) data.update(T1210.get_message_and_status(status))
data.update(T1210.get_mitigation_by_status(status)) data.update(T1210.get_mitigation_by_status(status))
data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services}) data.update({'scanned_services': scanned_services, 'exploited_services': exploited_services})

View File

@ -63,7 +63,7 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
Gets the status of a certain attack technique. Gets the status of a certain attack technique.
:return: ScanStatus numeric value :return: ScanStatus numeric value
""" """
if cls._is_disabled_in_config(): if not cls.is_enabled_in_config():
return ScanStatus.DISABLED.value return ScanStatus.DISABLED.value
elif mongo.db.telemetry.find_one({'telem_category': 'attack', elif mongo.db.telemetry.find_one({'telem_category': 'attack',
'data.status': ScanStatus.USED.value, 'data.status': ScanStatus.USED.value,
@ -83,7 +83,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
:param status: Enum from common/attack_utils.py integer value :param status: Enum from common/attack_utils.py integer value
:return: Dict with message and status :return: Dict with message and status
""" """
status = cls._check_status(status)
return {'message': cls.get_message_by_status(status), 'status': status} return {'message': cls.get_message_by_status(status), 'status': status}
@classmethod @classmethod
@ -93,7 +92,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
:param status: Enum from common/attack_utils.py integer value :param status: Enum from common/attack_utils.py integer value
:return: message string :return: message string
""" """
status = cls._check_status(status)
if status == ScanStatus.DISABLED.value: if status == ScanStatus.DISABLED.value:
return disabled_msg return disabled_msg
if status == ScanStatus.UNSCANNED.value: if status == ScanStatus.UNSCANNED.value:
@ -127,7 +125,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
@classmethod @classmethod
def get_base_data_by_status(cls, status): def get_base_data_by_status(cls, status):
status = cls._check_status(status)
data = cls.get_message_and_status(status) data = cls.get_message_and_status(status)
data.update({'title': cls.technique_title()}) data.update({'title': cls.technique_title()})
data.update(cls.get_mitigation_by_status(status)) data.update(cls.get_mitigation_by_status(status))
@ -135,7 +132,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
@classmethod @classmethod
def get_mitigation_by_status(cls, status: ScanStatus) -> dict: def get_mitigation_by_status(cls, status: ScanStatus) -> dict:
status = cls._check_status(status)
if status == ScanStatus.USED.value: if status == ScanStatus.USED.value:
mitigation_document = AttackMitigations.get_mitigation_by_technique_id(str(cls.tech_id)) mitigation_document = AttackMitigations.get_mitigation_by_technique_id(str(cls.tech_id))
return {'mitigations': mitigation_document.to_mongo().to_dict()['mitigations']} return {'mitigations': mitigation_document.to_mongo().to_dict()['mitigations']}
@ -143,11 +139,5 @@ class AttackTechnique(object, metaclass=abc.ABCMeta):
return {} return {}
@classmethod @classmethod
def _check_status(cls, status): def is_enabled_in_config(cls) -> bool:
if status == ScanStatus.UNSCANNED.value and not cls._is_enabled_in_config(): return AttackConfig.get_technique_values()[cls.tech_id]
return ScanStatus.DISABLED.value
return status
@classmethod
def _is_disabled_in_config(cls):
return not AttackConfig.get_technique_values()[cls.tech_id]

View File

@ -39,9 +39,12 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
:return: Technique's report data aggregated from the database :return: Technique's report data aggregated from the database
""" """
data = {'title': cls.technique_title(), 'info': []} data = {'title': cls.technique_title(), 'info': []}
info = []
if not cls.is_enabled_in_config():
status = ScanStatus.DISABLED.value
else:
info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names))) info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names)))
status = ScanStatus.UNSCANNED.value status = ScanStatus.UNSCANNED.value
if info: if info:
successful_PBAs = mongo.db.telemetry.count({ successful_PBAs = mongo.db.telemetry.count({