Agent: Add display_name to PostBreachData

This commit is contained in:
Shreya Malviya 2022-03-25 13:09:10 +05:30
parent 196f814860
commit dda922d06f
4 changed files with 9 additions and 12 deletions

View File

@ -34,7 +34,7 @@ class ExploiterResultData:
PingScanData = namedtuple("PingScanData", ["response_received", "os"]) PingScanData = namedtuple("PingScanData", ["response_received", "os"])
PortScanData = namedtuple("PortScanData", ["port", "status", "banner", "service"]) PortScanData = namedtuple("PortScanData", ["port", "status", "banner", "service"])
FingerprintData = namedtuple("FingerprintData", ["os_type", "os_version", "services"]) FingerprintData = namedtuple("FingerprintData", ["os_type", "os_version", "services"])
PostBreachData = namedtuple("PostBreachData", ["command", "result"]) PostBreachData = namedtuple("PostBreachData", ["display_name", "command", "result"])
class IPuppet(metaclass=abc.ABCMeta): class IPuppet(metaclass=abc.ABCMeta):

View File

@ -195,14 +195,11 @@ class AutomatedMaster(IMaster):
logger.debug(f"No credentials were collected by {collector}") logger.debug(f"No credentials were collected by {collector}")
def _run_pba(self, pba: Tuple[str, Dict]): def _run_pba(self, pba: Tuple[str, Dict]):
# TODO: This is the class's name right now. We need `display_name` (see the
# ProcessListCollection PBA). This is shown in the Security report as the PBA
# name and is checked against in the T1082's mongo query in the ATT&CK report.
name = pba[0] name = pba[0]
options = pba[1] options = pba[1]
command, result = self._puppet.run_pba(name, options) display_name, command, result = self._puppet.run_pba(name, options)
self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result)) self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
def _can_propagate(self) -> bool: def _can_propagate(self) -> bool:
return True return True

View File

@ -50,12 +50,12 @@ class MockMaster(IMaster):
logger.info("Running post breach actions") logger.info("Running post breach actions")
name = "AccountDiscovery" name = "AccountDiscovery"
command, result = self._puppet.run_pba(name, {}) display_name, command, result = self._puppet.run_pba(name, {})
self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result)) self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
name = "CommunicateAsBackdoorUser" name = "CommunicateAsBackdoorUser"
command, result = self._puppet.run_pba(name, {}) display_name, command, result = self._puppet.run_pba(name, {})
self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result)) self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
logger.info("Finished running post breach actions") logger.info("Finished running post breach actions")
def _scan_victims(self): def _scan_victims(self):

View File

@ -53,9 +53,9 @@ class MockPuppet(IPuppet):
logger.debug(f"run_pba({name}, {options})") logger.debug(f"run_pba({name}, {options})")
if name == "AccountDiscovery": if name == "AccountDiscovery":
return PostBreachData("pba command 1", ["pba result 1", True]) return PostBreachData(name, "pba command 1", ["pba result 1", True])
else: else:
return PostBreachData("pba command 2", ["pba result 2", False]) return PostBreachData(name, "pba command 2", ["pba result 2", False])
def ping(self, host: str, timeout: float = 1) -> PingScanData: def ping(self, host: str, timeout: float = 1) -> PingScanData:
logger.debug(f"run_ping({host}, {timeout})") logger.debug(f"run_ping({host}, {timeout})")