From bf417ab01dfe17f6f4ac8239a83f384aeafcde6e Mon Sep 17 00:00:00 2001
From: Shay Nehmad <shay.nehmad@guardicore.com>
Date: Thu, 22 Aug 2019 14:40:05 +0300
Subject: [PATCH] Added machine exploited ZT test

---
 monkey/common/data/zero_trust_consts.py       |  2 +-
 .../services/telemetry/processing/exploit.py  | 32 +++++++------
 .../zero_trust_tests/machine_exploited.py     | 46 +++++++++++++++++++
 3 files changed, 66 insertions(+), 14 deletions(-)
 create mode 100644 monkey/monkey_island/cc/services/telemetry/zero_trust_tests/machine_exploited.py

diff --git a/monkey/common/data/zero_trust_consts.py b/monkey/common/data/zero_trust_consts.py
index a92e386fe..99b4f2a2c 100644
--- a/monkey/common/data/zero_trust_consts.py
+++ b/monkey/common/data/zero_trust_consts.py
@@ -91,7 +91,7 @@ TESTS_MAP = {
         TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.",
         FINDING_EXPLANATION_BY_STATUS_KEY: {
             STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
-            STATUS_INCONCLUSIVE: "Monkey tried exploiting endpoints. Check IDS/IPS logs to see activity recognized."
+            STATUS_POSITIVE: "Monkey didn't manage to exploit an endpoint."
         },
         DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
         PILLARS_KEY: [DEVICES],
diff --git a/monkey/monkey_island/cc/services/telemetry/processing/exploit.py b/monkey/monkey_island/cc/services/telemetry/processing/exploit.py
index 98ca76248..7464722f9 100644
--- a/monkey/monkey_island/cc/services/telemetry/processing/exploit.py
+++ b/monkey/monkey_island/cc/services/telemetry/processing/exploit.py
@@ -7,26 +7,18 @@ from monkey_island.cc.encryptor import encryptor
 from monkey_island.cc.services.edge import EdgeService
 from monkey_island.cc.services.node import NodeService
 from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
+from monkey_island.cc.services.telemetry.zero_trust_tests.machine_exploited import test_machine_exploited
 
 
 def process_exploit_telemetry(telemetry_json):
     edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
     encrypt_exploit_creds(telemetry_json)
-    telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
-    telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
+    update_edge_info_with_new_exploit(edge, telemetry_json)
+    update_node_credentials_from_successful_attempts(edge, telemetry_json)
+    test_machine_exploited(telemetry_json)
 
-    new_exploit = copy.deepcopy(telemetry_json['data'])
-
-    new_exploit.pop('machine')
-    new_exploit['timestamp'] = telemetry_json['timestamp']
-
-    mongo.db.edge.update(
-        {'_id': edge['_id']},
-        {'$push': {'exploits': new_exploit}}
-    )
-    if new_exploit['result']:
-        EdgeService.set_edge_exploited(edge)
 
+def update_node_credentials_from_successful_attempts(edge, telemetry_json):
     for attempt in telemetry_json['data']['attempts']:
         if attempt['result']:
             found_creds = {'user': attempt['user']}
@@ -36,6 +28,20 @@ def process_exploit_telemetry(telemetry_json):
             NodeService.add_credentials_to_node(edge['to'], found_creds)
 
 
+def update_edge_info_with_new_exploit(edge, telemetry_json):
+    telemetry_json['data']['info']['started'] = dateutil.parser.parse(telemetry_json['data']['info']['started'])
+    telemetry_json['data']['info']['finished'] = dateutil.parser.parse(telemetry_json['data']['info']['finished'])
+    new_exploit = copy.deepcopy(telemetry_json['data'])
+    new_exploit.pop('machine')
+    new_exploit['timestamp'] = telemetry_json['timestamp']
+    mongo.db.edge.update(
+        {'_id': edge['_id']},
+        {'$push': {'exploits': new_exploit}}
+    )
+    if new_exploit['result']:
+        EdgeService.set_edge_exploited(edge)
+
+
 def encrypt_exploit_creds(telemetry_json):
     attempts = telemetry_json['data']['attempts']
     for i in range(len(attempts)):
diff --git a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/machine_exploited.py b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/machine_exploited.py
new file mode 100644
index 000000000..3a5f78bcb
--- /dev/null
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/machine_exploited.py
@@ -0,0 +1,46 @@
+from common.data.zero_trust_consts import *
+from monkey_island.cc.models import Monkey
+from monkey_island.cc.models.zero_trust.event import Event
+from monkey_island.cc.models.zero_trust.finding import Finding
+
+
+def test_machine_exploited(telemetry_json):
+    current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
+    events = [
+        Event.create_event(
+            title="Exploit attempt",
+            message="Monkey on {} attempted to exploit {} using {}.".format(
+                current_monkey.hostname,
+                telemetry_json['data']['machine']['ip_addr'],
+                telemetry_json['data']['exploiter']),
+            event_type=EVENT_TYPE_MONKEY_NETWORK,
+            timestamp=telemetry_json['timestamp']
+        )
+    ]
+
+    status = STATUS_POSITIVE
+
+    if telemetry_json['data']['result']:
+        events.append(
+            Event.create_event(
+                title="Exploit success!",
+                message="Monkey on {} successfully exploited {} using {}.".format(
+                    current_monkey.hostname,
+                    telemetry_json['data']['machine']['ip_addr'],
+                    telemetry_json['data']['exploiter']),
+                event_type=EVENT_TYPE_MONKEY_NETWORK,
+                timestamp=telemetry_json['timestamp'])
+        )
+        status = STATUS_CONCLUSIVE
+
+    Finding.save_finding(
+        test=TEST_MACHINE_EXPLOITED,
+        status=status,
+        events=events
+    )
+
+    Finding.save_finding(
+        test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
+        status=STATUS_INCONCLUSIVE,
+        events=events
+    )