Merge pull request #582 from shreyamalviya/map-create-user-pba-to-matrix

Map create user PBA to ATT&CK matrix
This commit is contained in:
VakarisZ 2020-05-04 12:10:44 +03:00 committed by GitHub
commit f3ec436f78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 106 additions and 5 deletions

View File

@ -4,6 +4,7 @@ from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064 from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
from monkey_island.cc.services.attack.technique_reports import T1136
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report
@ -35,7 +36,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1018': T1018.T1018, 'T1018': T1018.T1018,
'T1016': T1016.T1016, 'T1016': T1016.T1016,
'T1021': T1021.T1021, 'T1021': T1021.T1021,
'T1064': T1064.T1064 'T1064': T1064.T1064,
'T1136': T1136.T1136
} }
REPORT_NAME = 'new_report' REPORT_NAME = 'new_report'

View File

@ -289,6 +289,22 @@ SCHEMA = {
"description": "Data exfiltration is performed over the Command and Control channel." "description": "Data exfiltration is performed over the Command and Control channel."
} }
} }
},
"persistence": {
"title": "Persistence",
"type": "object",
"link": "https://attack.mitre.org/tactics/TA0003/",
"properties": {
"T1136": {
"title": "Create account",
"type": "bool",
"value": True,
"necessary": False,
"link": "https://attack.mitre.org/techniques/T1136",
"description": "Adversaries with a sufficient level of access "
"may create a local system, domain, or cloud tenant account."
}
}
} }
} }
} }

View File

@ -0,0 +1,39 @@
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
from monkey_island.cc.services.reporting.report import ReportService
from common.utils.attack_utils import ScanStatus
from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER
from monkey_island.cc.models import Monkey
__author__ = "shreyamalviya"
class T1136(AttackTechnique):
tech_id = "T1136"
unscanned_msg = "Monkey didn't try creating a new user on the network's systems."
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
used_msg = "Monkey created a new user on the network's systems."
@staticmethod
def get_report_data():
data = {'title': T1136.technique_title()}
scanned_nodes = ReportService.get_scanned()
status = ScanStatus.UNSCANNED.value
for node in scanned_nodes:
if node['pba_results'] != 'None':
for pba in node['pba_results']:
if pba['name'] in [POST_BREACH_BACKDOOR_USER,
POST_BREACH_COMMUNICATE_AS_NEW_USER]:
status = ScanStatus.USED.value if pba['result'][1]\
else ScanStatus.SCANNED.value
data.update({
'info': [{
'machine': {
'hostname': pba['hostname'],
'ips': node['ip_addresses'],
},
'result': ': '.join([pba['name'], pba['result'][0]])
}]
})
data.update(T1136.get_message_and_status(status))
return data

View File

@ -140,7 +140,7 @@ SCHEMA = {
}, },
], ],
}, },
"post_breach_acts": { "post_breach_actions": {
"title": "Post breach actions", "title": "Post breach actions",
"type": "string", "type": "string",
"anyOf": [ "anyOf": [
@ -150,7 +150,7 @@ SCHEMA = {
"BackdoorUser" "BackdoorUser"
], ],
"title": "Back door user", "title": "Back door user",
"attack_techniques": [] "attack_techniques": ["T1136"]
}, },
{ {
"type": "string", "type": "string",
@ -158,7 +158,7 @@ SCHEMA = {
"CommunicateAsNewUser" "CommunicateAsNewUser"
], ],
"title": "Communicate as new user", "title": "Communicate as new user",
"attack_techniques": [] "attack_techniques": ["T1136"]
}, },
], ],
}, },
@ -375,9 +375,10 @@ SCHEMA = {
"type": "array", "type": "array",
"uniqueItems": True, "uniqueItems": True,
"items": { "items": {
"$ref": "#/definitions/post_breach_acts" "$ref": "#/definitions/post_breach_actions"
}, },
"default": [ "default": [
"BackdoorUser",
"CommunicateAsNewUser" "CommunicateAsNewUser"
], ],
"description": "List of actions the Monkey will run post breach" "description": "List of actions the Monkey will run post breach"

View File

@ -0,0 +1,43 @@
import React from 'react';
import ReactTable from 'react-table';
import {renderMachineFromSystemData, ScanStatus} from './Helpers'
class T1136 extends React.Component {
constructor(props) {
super(props);
}
static getColumns() {
return ([{
columns: [
{ Header: 'Machine',
id: 'machine',
accessor: x => renderMachineFromSystemData(x.machine),
style: {'whiteSpace': 'unset'}},
{ Header: 'Result',
id: 'result',
accessor: x => x.result,
style: {'whiteSpace': 'unset'}}
]
}])
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === ScanStatus.USED ?
<ReactTable
columns={T1136.getColumns()}
data={this.props.data.info}
showPagination={false}
defaultPageSize={this.props.data.info.length}
/> : ''}
</div>
);
}
}
export default T1136;