From c28420944e8d4bd2f7981be8c6ca232fd9e6f66e Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 13 Jun 2019 17:19:04 +0300 Subject: [PATCH] System info technique implemented --- .../cc/services/attack/attack_report.py | 5 +- .../cc/services/attack/attack_schema.py | 15 +++++ .../attack/technique_reports/T1082.py | 37 ++++++++----- .../cc/services/config_schema.py | 1 + .../src/components/attack/techniques/T1082.js | 55 +++++++++++++++++++ .../report-components/AttackReport.js | 4 +- 6 files changed, 100 insertions(+), 17 deletions(-) create mode 100644 monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py index 9a5e57633..9a40e1728 100644 --- a/monkey/monkey_island/cc/services/attack/attack_report.py +++ b/monkey/monkey_island/cc/services/attack/attack_report.py @@ -1,5 +1,5 @@ import logging -from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086 +from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.attack_telem import AttackTelemService from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.database import mongo @@ -15,7 +15,8 @@ TECHNIQUES = {'T1210': T1210.T1210, 'T1075': T1075.T1075, 'T1003': T1003.T1003, 'T1059': T1059.T1059, - 'T1086': T1086.T1086} + 'T1086': T1086.T1086, + 'T1082': T1082.T1082} REPORT_NAME = 'new_report' diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index 24c8cf1c6..4d979a682 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -106,5 +106,20 @@ SCHEMA = { } } }, + "discovery": { + "title": "Discovery", + "type": "object", + "properties": { + "T1082": { + "title": "T1082 System information discovery", + "type": "bool", + "value": True, + "necessary": False, + "description": "An adversary may attempt to get detailed information about the " + "operating system and hardware, including version, patches, hotfixes, " + "service packs, and architecture." + } + } + }, } } diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index 76ed2a7af..9a73cf13c 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -12,26 +12,35 @@ class T1082(AttackTechnique): scanned_msg = "" used_msg = "Monkey gathered system info from machines in the network." - # Gets data about successful PTH logins - query = [{'$match': {'telem_type': 'system_info_collection'}, + query = [{'$match': {'telem_type': 'system_info_collection'}}, + {'$project': {'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'}, + 'aws': '$data.aws', + 'netstat': '$data.network_info.netstat', + 'process_list': '$data.process_list', + 'ssh_info': '$data.ssh_info', + 'azure_info': '$data.Azure'}}, {'$project': {'_id': 0, - 'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'}, - 'info': {'aws': '$data.aws', - 'process_list': '$data.process_list.1' - 'attempt_cnt': {'$size': '$data.attempts'}, - 'attempts': {'$filter': {'input': '$data.attempts', - 'as': 'attempt', - 'cond': {'$eq': ['$$attempt.result', True]}}}}}] + 'machine': 1, + 'collections': [ + {'used': {'$and': [{'$ifNull': ['$netstat', False]}, {'$gt': ['$aws', {}]}]}, + 'name': {'$literal': 'Amazon Web Services info'}}, + {'used': {'$and': [{'$ifNull': ['$process_list', False]}, {'$gt': ['$process_list', {}]}]}, + 'name': {'$literal': 'Running process list'}}, + {'used': {'$and': [{'$ifNull': ['$netstat', False]}, {'$ne': ['$netstat', []]}]}, + 'name': {'$literal': 'Network connections'}}, + {'used': {'$and': [{'$ifNull': ['$ssh_info', False]}, {'$ne': ['$ssh_info', []]}]}, + 'name': {'$literal': 'SSH info'}}, + {'used': {'$and': [{'$ifNull': ['$azure_info', False]}, {'$ne': ['$azure_info', []]}]}, + 'name': {'$literal': 'Azure info'}} + ]}}] @staticmethod def get_report_data(): data = {'title': T1082.technique_title(T1082.tech_id)} - successful_logins = list(mongo.db.telemetry.aggregate(T1082.query)) - data.update({'successful_logins': successful_logins}) - if successful_logins: + system_info = list(mongo.db.telemetry.aggregate(T1082.query)) + data.update({'system_info': system_info}) + if system_info: data.update({'message': T1082.used_msg, 'status': ScanStatus.USED.name}) - elif mongo.db.telemetry.count_documents(T1082.login_attempt_query): - data.update({'message': T1082.scanned_msg, 'status': ScanStatus.SCANNED.name}) else: data.update({'message': T1082.unscanned_msg, 'status': ScanStatus.UNSCANNED.name}) return data diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py index 8a96a0d78..57ad95944 100644 --- a/monkey/monkey_island/cc/services/config_schema.py +++ b/monkey/monkey_island/cc/services/config_schema.py @@ -422,6 +422,7 @@ SCHEMA = { "title": "Collect system info", "type": "boolean", "default": True, + "attack_techniques": ["T1082"], "description": "Determines whether to collect system info" }, "should_use_mimikatz": { diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js new file mode 100644 index 000000000..3b3f1df7c --- /dev/null +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js @@ -0,0 +1,55 @@ +import React from 'react'; +import '../../../styles/Collapse.scss' +import ReactTable from "react-table"; + + +class T1082 extends React.Component { + + constructor(props) { + super(props); + } + + static renderMachineString(data){ + let machineStr = data['hostname'] + " ( "; + data['ips'].forEach(function(ipInfo){ + machineStr += ipInfo['addr'] + " "; + }); + return machineStr + ")" + } + + static renderCollections(collections){ + let output = []; + collections.forEach(function(collection){ + if(collection['used']){ + output.push(
{collection['name']}
) + } + }); + return (
{output}
); + } + + static getSystemInfoColumns() { + return ([{ + columns: [ + {Header: 'Machine', id: 'machine', accessor: x => T1082.renderMachineString(x.machine), style: { 'whiteSpace': 'unset' }}, + {Header: 'Gathered info', id: 'info', accessor: x => T1082.renderCollections(x.collections), style: { 'whiteSpace': 'unset' }}, + ] + }])}; + + render() { + return ( +
+
{this.props.data.message}
+
+ {this.props.data.status === 'USED' ? + : ""} +
+ ); + } +} + +export default T1082; diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js index 87f6f0a38..6543ec389 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js @@ -12,6 +12,7 @@ import T1075 from "../attack/techniques/T1075"; import T1003 from "../attack/techniques/T1003"; import T1059 from "../attack/techniques/T1059"; import T1086 from "../attack/techniques/T1086"; +import T1082 from "../attack/techniques/T1082"; const tech_components = { 'T1210': T1210, @@ -20,7 +21,8 @@ const tech_components = { 'T1075': T1075, 'T1003': T1003, 'T1059': T1059, - 'T1086': T1086 + 'T1086': T1086, + 'T1082': T1082 }; const classNames = require('classnames');