Merge pull request #385 from VakarisZ/attack_remote_services

T1021 Remote services

monkey/monkey_island/cc/services/attack/attack_report.py

@@ -3,7 +3,7 @@ import logging
 from monkey_island.cc.models import Monkey
 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
-from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016
+from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021
 from monkey_island.cc.services.attack.attack_config import AttackConfig
 from monkey_island.cc.database import mongo
 
@@ -33,7 +33,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
               'T1222': T1222.T1222,
               'T1005': T1005.T1005,
               'T1018': T1018.T1018,
-              'T1016': T1016.T1016}
+              'T1016': T1016.T1016,
+              'T1021': T1021.T1021}
 
 REPORT_NAME = 'new_report'
 

monkey/monkey_island/cc/services/attack/attack_schema.py

@@ -48,6 +48,15 @@ SCHEMA = {
                     "necessary": True,
                     "description": "Files may be copied from one system to another to stage "
                                    "adversary tools or other files over the course of an operation."
+                },
+                "T1021": {
+                    "title": "T1021 Remote services",
+                    "type": "bool",
+                    "value": True,
+                    "necessary": False,
+                    "depends_on": ["T1110"],
+                    "description": "An adversary may use Valid Accounts to log into a service"
+                                   " specifically designed to accept remote connections."
                 }
             }
         },
@@ -62,7 +71,7 @@ SCHEMA = {
                     "necessary": False,
                     "description": "Adversaries may use brute force techniques to attempt access to accounts "
                                    "when passwords are unknown or when password hashes are obtained.",
-                    "depends_on": ["T1210"]
+                    "depends_on": ["T1210", "T1021"]
                 },
                 "T1003": {
                     "title": "T1003 Credential dumping",

monkey/monkey_island/cc/services/attack/technique_reports/T1021.py

@@ -0,0 +1,51 @@
+from monkey_island.cc.database import mongo
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from common.utils.attack_utils import ScanStatus
+from monkey_island.cc.services.attack.technique_reports.technique_report_tools import parse_creds
+
+
+__author__ = "VakarisZ"
+
+
+class T1021(AttackTechnique):
+    tech_id = "T1021"
+    unscanned_msg = "Monkey didn't try to login to any remote services."
+    scanned_msg = "Monkey tried to login to remote services with valid credentials, but failed."
+    used_msg = "Monkey successfully logged into remote services on the network."
+
+    # Gets data about brute force attempts
+    query = [{'$match': {'telem_category': 'exploit',
+                         'data.attempts': {'$not': {'$size': 0}}}},
+             {'$project': {'_id': 0,
+                           'machine': '$data.machine',
+                           'info': '$data.info',
+                           'attempt_cnt': {'$size': '$data.attempts'},
+                           'attempts': {'$filter': {'input': '$data.attempts',
+                                                    'as': 'attempt',
+                                                    'cond': {'$eq': ['$$attempt.result', True]}
+                                                    }
+                                        }
+                           }
+              }]
+
+    scanned_query = {'telem_category': 'exploit',
+                     'data.attempts': {'$elemMatch': {'result': True}}}
+
+    @staticmethod
+    def get_report_data():
+        attempts = []
+        if mongo.db.telemetry.count_documents(T1021.scanned_query):
+            attempts = list(mongo.db.telemetry.aggregate(T1021.query))
+            if attempts:
+                status = ScanStatus.USED.value
+                for result in attempts:
+                    result['successful_creds'] = []
+                    for attempt in result['attempts']:
+                        result['successful_creds'].append(parse_creds(attempt))
+            else:
+                status = ScanStatus.SCANNED.value
+        else:
+            status = ScanStatus.UNSCANNED.value
+        data = T1021.get_base_data_by_status(status)
+        data.update({'services': attempts})
+        return data

monkey/monkey_island/cc/services/attack/technique_reports/T1110.py

@@ -1,7 +1,7 @@
 from monkey_island.cc.database import mongo
 from monkey_island.cc.services.attack.technique_reports import AttackTechnique
 from common.utils.attack_utils import ScanStatus
-from monkey_island.cc.encryptor import encryptor
+from monkey_island.cc.services.attack.technique_reports.technique_report_tools import parse_creds
 
 __author__ = "VakarisZ"
 
@@ -32,7 +32,7 @@ class T1110(AttackTechnique):
             result['successful_creds'] = []
             for attempt in result['attempts']:
                 succeeded = True
-                result['successful_creds'].append(T1110.parse_creds(attempt))
+                result['successful_creds'].append(parse_creds(attempt))
 
         if succeeded:
             status = ScanStatus.USED.value
@@ -47,47 +47,4 @@ class T1110(AttackTechnique):
         data.update({'services': attempts})
         return data
 
-    @staticmethod
-    def parse_creds(attempt):
-        """
-        Parses used credentials into a string
-        :param attempt: login attempt from database
-        :return: string with username and used password/hash
-        """
-        username = attempt['user']
-        creds = {'lm_hash': {'type': 'LM hash', 'output': T1110.censor_hash(attempt['lm_hash'])},
-                 'ntlm_hash': {'type': 'NTLM hash', 'output': T1110.censor_hash(attempt['ntlm_hash'], 20)},
-                 'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']},
-                 'password': {'type': 'Plaintext password', 'output': T1110.censor_password(attempt['password'])}}
-        for key, cred in creds.items():
-            if attempt[key]:
-                return '%s ; %s : %s' % (username,
-                                         cred['type'],
-                                         cred['output'])
 
-    @staticmethod
-    def censor_password(password, plain_chars=3, secret_chars=5):
-        """
-        Decrypts and obfuscates password by changing characters to *
-        :param password: Password or string to obfuscate
-        :param plain_chars: How many plain-text characters should be kept at the start of the string
-        :param secret_chars: How many * symbols should be used to hide the remainder of the password
-        :return: Obfuscated string e.g. Pass****
-        """
-        if not password:
-            return ""
-        password = encryptor.dec(password)
-        return password[0:plain_chars] + '*' * secret_chars
-
-    @staticmethod
-    def censor_hash(hash_, plain_chars=5):
-        """
-        Decrypts and obfuscates hash by only showing a part of it
-        :param hash_: Hash to obfuscate
-        :param plain_chars: How many chars of hash should be shown
-        :return: Obfuscated string
-        """
-        if not hash_:
-            return ""
-        hash_ = encryptor.dec(hash_)
-        return hash_[0: plain_chars] + ' ...'

monkey/monkey_island/cc/services/attack/technique_reports/technique_report_tools.py

@@ -0,0 +1,46 @@
+from monkey_island.cc.encryptor import encryptor
+
+
+def parse_creds(attempt):
+    """
+    Parses used credentials into a string
+    :param attempt: login attempt from database
+    :return: string with username and used password/hash
+    """
+    username = attempt['user']
+    creds = {'lm_hash': {'type': 'LM hash', 'output': censor_hash(attempt['lm_hash'])},
+             'ntlm_hash': {'type': 'NTLM hash', 'output': censor_hash(attempt['ntlm_hash'], 20)},
+             'ssh_key': {'type': 'SSH key', 'output': attempt['ssh_key']},
+             'password': {'type': 'Plaintext password', 'output': censor_password(attempt['password'])}}
+    for key, cred in creds.items():
+        if attempt[key]:
+            return '%s ; %s : %s' % (username,
+                                     cred['type'],
+                                     cred['output'])
+
+
+def censor_password(password, plain_chars=3, secret_chars=5):
+    """
+    Decrypts and obfuscates password by changing characters to *
+    :param password: Password or string to obfuscate
+    :param plain_chars: How many plain-text characters should be kept at the start of the string
+    :param secret_chars: How many * symbols should be used to hide the remainder of the password
+    :return: Obfuscated string e.g. Pass****
+    """
+    if not password:
+        return ""
+    password = encryptor.dec(password)
+    return password[0:plain_chars] + '*' * secret_chars
+
+
+def censor_hash(hash_, plain_chars=5):
+    """
+    Decrypts and obfuscates hash by only showing a part of it
+    :param hash_: Hash to obfuscate
+    :param plain_chars: How many chars of hash should be shown
+    :return: Obfuscated string
+    """
+    if not hash_:
+        return ""
+    hash_ = encryptor.dec(hash_)
+    return hash_[0: plain_chars] + ' ...'

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1021.js

@@ -0,0 +1,44 @@
+import React from 'react';
+import '../../../styles/Collapse.scss'
+import ReactTable from "react-table";
+import { renderMachine, ScanStatus } from "./Helpers"
+
+
+class T1021 extends React.Component {
+
+  constructor(props) {
+    super(props);
+  }
+
+  static getServiceColumns() {
+    return ([{
+      columns: [
+        {Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.machine),
+          style: { 'whiteSpace': 'unset' }, width: 160},
+        {Header: 'Service', id: 'service', accessor: x => x.info.display_name, style: { 'whiteSpace': 'unset' }, width: 100},
+        {Header: 'Valid account used', id: 'credentials', accessor: x => this.renderCreds(x.successful_creds), style: { 'whiteSpace': 'unset' }},
+        ]
+    }])};
+
+  static renderCreds(creds) {
+    return <span>{creds.map(cred => <div key={cred}>{cred}</div>)}</span>
+  };
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        {this.props.data.status === ScanStatus.USED ?
+          <ReactTable
+            columns={T1021.getServiceColumns()}
+            data={this.props.data.services}
+            showPagination={false}
+            defaultPageSize={this.props.data.services.length}
+          /> : ""}
+      </div>
+    );
+  }
+}
+
+export default T1021;

monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js

@@ -28,6 +28,7 @@ import T1222 from "../attack/techniques/T1222";
 import T1005 from "../attack/techniques/T1005";
 import T1018 from "../attack/techniques/T1018";
 import T1016 from "../attack/techniques/T1016";
+import T1021 from "../attack/techniques/T1021";
 
 const tech_components = {
   'T1210': T1210,
@@ -51,7 +52,8 @@ const tech_components = {
   'T1222': T1222,
   'T1005': T1005,
   'T1018': T1018,
-  'T1016': T1016
+  'T1016': T1016,
+  'T1021': T1021
 };
 
 const classNames = require('classnames');