From 8078acdf7fe6fdf5ea6e6871d05fd977c83e1ecc Mon Sep 17 00:00:00 2001 From: Shreya Date: Sat, 11 Jul 2020 01:08:41 +0530 Subject: [PATCH] Add DISABLED status for attack techniques --- .../attack/technique_reports/T1136.py | 5 +++++ .../attack/technique_reports/T1156.py | 9 ++++++--- .../attack/technique_reports/T1158.py | 2 +- .../attack/technique_reports/T1504.py | 9 ++++++--- .../attack/technique_reports/__init__.py | 19 +++++++------------ .../attack/technique_reports/pba_technique.py | 13 +++++++++---- .../report-components/AttackReport.js | 4 ++-- .../cc/ui/src/styles/components/Collapse.scss | 10 +++++++--- 8 files changed, 43 insertions(+), 28 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py index 086a1c139..1bd3ba212 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py @@ -1,7 +1,12 @@ from common.data.post_breach_consts import ( POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER) +from common.utils.attack_utils import ScanStatus +from monkey_island.cc.database import mongo +from monkey_island.cc.services.attack.attack_config import AttackConfig +from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports.pba_technique import \ PostBreachTechnique +from monkey_island.cc.services.reporting.report import ReportService __author__ = "shreyamalviya" diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py index 939ebc946..48f12f5e3 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py @@ -1,5 +1,8 @@ from common.data.post_breach_consts import \ POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION +from common.utils.attack_utils import ScanStatus +from monkey_island.cc.database import mongo +from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports.pba_technique import \ PostBreachTechnique @@ -8,7 +11,7 @@ __author__ = "shreyamalviya" class T1156(PostBreachTechnique): tech_id = "T1156" - unscanned_msg = "Monkey didn't try modifying bash startup files since it found no Linux machines." - scanned_msg = "Monkey tried modifying bash startup files but failed." - used_msg = "Monkey successfully modified bash startup files." + unscanned_msg = "Monkey did not try modifying bash startup files on the system." + scanned_msg = "Monkey tried modifying bash startup files on the system but failed." + used_msg = "Monkey modified bash startup files on the system." pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1158.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1158.py index dce2b3adb..7b0f87358 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1158.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1158.py @@ -10,4 +10,4 @@ class T1158(PostBreachTechnique): unscanned_msg = "Monkey didn't try creating hidden files or folders." scanned_msg = "Monkey tried creating hidden files and folders on the system but failed." used_msg = "Monkey created hidden files and folders on the system." - pba_name = POST_BREACH_HIDDEN_FILES + pba_names = [POST_BREACH_HIDDEN_FILES] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py index 5e38b6630..9f6a0fb83 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py @@ -1,5 +1,8 @@ from common.data.post_breach_consts import \ POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION +from common.utils.attack_utils import ScanStatus +from monkey_island.cc.database import mongo +from monkey_island.cc.services.attack.technique_reports import AttackTechnique from monkey_island.cc.services.attack.technique_reports.pba_technique import \ PostBreachTechnique @@ -8,7 +11,7 @@ __author__ = "shreyamalviya" class T1504(PostBreachTechnique): tech_id = "T1504" - unscanned_msg = "Monkey didn't try modifying powershell startup files since it found no Windows machines." - scanned_msg = "Monkey tried modifying powershell startup files but failed." - used_msg = "Monkey successfully modified powershell startup files." + unscanned_msg = "Monkey did not try modifying powershell startup files on the system." + scanned_msg = "Monkey tried modifying powershell startup files on the system but failed." + used_msg = "Monkey modified powershell startup files on the system." pba_names = [POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py index 14bd1012e..1dd9cfb24 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py @@ -10,8 +10,7 @@ from monkey_island.cc.services.attack.attack_config import AttackConfig logger = logging.getLogger(__name__) -disabled_msg = "This technique has been disabled. " +\ - "You can enable it from the [configuration page](../../configure)." +disabled_msg = "This technique has been disabled. You can enable it from the configuration page." class AttackTechnique(object, metaclass=abc.ABCMeta): @@ -74,7 +73,8 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): 'data.technique': cls.tech_id}): return ScanStatus.SCANNED.value else: - return ScanStatus.UNSCANNED.value + return ScanStatus.DISABLED.value if not AttackConfig.get_technique_values()[cls.tech_id]\ + else ScanStatus.UNSCANNED.value @classmethod def get_message_and_status(cls, status): @@ -93,7 +93,6 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): :param status: Enum from common/attack_utils.py integer value :return: message string """ - status = cls._check_status(status) if status == ScanStatus.DISABLED.value: return disabled_msg if status == ScanStatus.UNSCANNED.value: @@ -143,12 +142,8 @@ class AttackTechnique(object, metaclass=abc.ABCMeta): return {} @classmethod - def _check_status(cls, status, *args): - enabled_in_config = args[0] if args else cls._is_enabled_in_config() - if status == ScanStatus.UNSCANNED.value and not enabled_in_config: - return ScanStatus.DISABLED.value + def _check_status(cls, status): + if status == ScanStatus.UNSCANNED.value: + return ScanStatus.DISABLED.value if not AttackConfig.get_technique_values()[cls.tech_id]\ + else ScanStatus.UNSCANNED.value return status - - @classmethod - def _is_enabled_in_config(cls): - return AttackConfig.get_technique_values()[cls.tech_id] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py index fce4edf70..c588bb3c9 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py @@ -9,16 +9,17 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): @property @abc.abstractmethod - def pba_name(self): + def pba_names(self): """ :return: name of post breach action """ pass @classmethod - def get_pba_query(cls, post_breach_action_name): + def get_pba_query(cls, post_breach_action_names): return [{'$match': {'telem_category': 'post_breach', - 'data.name': post_breach_action_name}}, + # 'data.name': post_breach_action_name}}, + '$or': [{'data.name': pba_name} for pba_name in post_breach_action_names]}}, {'$project': {'_id': 0, 'machine': {'hostname': '$data.hostname', 'ips': ['$data.ip']}, @@ -28,7 +29,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): def get_report_data(cls): data = {'title': cls.technique_title(), 'info': []} - info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_name))) + info = list(mongo.db.telemetry.aggregate(cls.get_pba_query(cls.pba_names))) status = [] for pba_node in info: @@ -36,6 +37,10 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ if status else ScanStatus.UNSCANNED.value + if status == ScanStatus.UNSCANNED.value and\ + not AttackConfig.get_technique_values()[cls.tech_id]: + status = ScanStatus.DISABLED.value + data.update(cls.get_base_data_by_status(status)) data.update({'info': info}) return data diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js index 97f3c1a18..4376fcf0c 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js @@ -64,10 +64,10 @@ class AttackReport extends React.Component { return 'collapse-warning'; case ScanStatus.USED: return 'collapse-danger'; + case ScanStatus.UNSCANNED: + return 'collapse-unscanned'; case ScanStatus.DISABLED: return 'collapse-disabled'; - default: - return 'collapse-default'; } } diff --git a/monkey/monkey_island/cc/ui/src/styles/components/Collapse.scss b/monkey/monkey_island/cc/ui/src/styles/components/Collapse.scss index 63f503095..fd004f783 100644 --- a/monkey/monkey_island/cc/ui/src/styles/components/Collapse.scss +++ b/monkey/monkey_island/cc/ui/src/styles/components/Collapse.scss @@ -3,7 +3,7 @@ $transition: 300ms cubic-bezier(0.6, 0.3, 0.3, 0.6); $danger-color: #ebbcba; $disabled-color: #b7c2ff; $info-color: #ade3eb; -$default-color: #e0ddde; +$unscanned-color: #e0ddde; $warning-color: #ffe28d; .collapse-item button { @@ -51,8 +51,12 @@ $warning-color: #ffe28d; background-color: $info-color !important; } -.collapse-default { - background-color: $default-color !important; +.collapse-unscanned { + background-color: $unscanned-color !important; +} + +.collapse-disabled { + background-color: $disabled-color !important; } .collapse-disabled {