From 8c18731b450a2262b93ca2eeb510f2a851b26eee Mon Sep 17 00:00:00 2001 From: Shreya Date: Wed, 24 Jun 2020 22:41:30 +0530 Subject: [PATCH 1/2] Use mongo search for T1136's report data --- .../attack/technique_reports/T1136.py | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py index 4cd78c9a3..09e34e6de 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py @@ -1,5 +1,5 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique -from monkey_island.cc.services.reporting.report import ReportService +from monkey_island.cc.database import mongo from common.utils.attack_utils import ScanStatus from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER @@ -12,27 +12,26 @@ class T1136(AttackTechnique): scanned_msg = "Monkey tried creating a new user on the network's systems, but failed." used_msg = "Monkey created a new user on the network's systems." + query = [{'$match': {'telem_category': 'post_breach', + '$or': [{'data.name': POST_BREACH_BACKDOOR_USER}, + {'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}]}}, + {'$project': {'_id': 0, + 'machine': {'hostname': '$data.hostname', + 'ips': ['$data.ip']}, + 'result': '$data.result'}}] + @staticmethod def get_report_data(): data = {'title': T1136.technique_title()} - scanned_nodes = ReportService.get_scanned() - status = ScanStatus.UNSCANNED.value - for node in scanned_nodes: - if node['pba_results'] != 'None': - for pba in node['pba_results']: - if pba['name'] in [POST_BREACH_BACKDOOR_USER, - POST_BREACH_COMMUNICATE_AS_NEW_USER]: - status = ScanStatus.USED.value if pba['result'][1]\ - else ScanStatus.SCANNED.value - data.update({ - 'info': [{ - 'machine': { - 'hostname': pba['hostname'], - 'ips': node['ip_addresses'], - }, - 'result': ': '.join([pba['name'], pba['result'][0]]) - }] - }) - data.update(T1136.get_base_data_by_status(status)) + create_user_info = list(mongo.db.telemetry.aggregate(T1136.query)) + + status = [] + for pba_node in create_user_info: + status.append(pba_node['result'][1]) + status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ + if status else ScanStatus.UNSCANNED.value + + data.update(T1136.get_base_data_by_status(status)) + data.update({'info': create_user_info}) return data From e12374b7d3935205231198e91e87e5b28500410b Mon Sep 17 00:00:00 2001 From: Shreya Date: Sat, 4 Jul 2020 15:29:25 +0530 Subject: [PATCH 2/2] Add mongo query to count successful PBA attempts --- .../cc/services/attack/technique_reports/T1136.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py index 09e34e6de..0e4e2fffb 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py @@ -26,11 +26,12 @@ class T1136(AttackTechnique): create_user_info = list(mongo.db.telemetry.aggregate(T1136.query)) - status = [] - for pba_node in create_user_info: - status.append(pba_node['result'][1]) - status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\ - if status else ScanStatus.UNSCANNED.value + status = ScanStatus.UNSCANNED.value + if create_user_info: + successful_PBAs = mongo.db.telemetry.count({'$or': [{'data.name': POST_BREACH_BACKDOOR_USER}, + {'data.name': POST_BREACH_COMMUNICATE_AS_NEW_USER}], + 'data.result.1': True}) + status = ScanStatus.USED.value if successful_PBAs else ScanStatus.SCANNED.value data.update(T1136.get_base_data_by_status(status)) data.update({'info': create_user_info})