diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py index db80c76c6..c7130158b 100644 --- a/monkey/monkey_island/cc/services/attack/attack_report.py +++ b/monkey/monkey_island/cc/services/attack/attack_report.py @@ -4,6 +4,7 @@ from monkey_island.cc.models import Monkey from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188 from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064 +from monkey_island.cc.services.attack.technique_reports import T1136 from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.database import mongo from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report @@ -35,7 +36,8 @@ TECHNIQUES = {'T1210': T1210.T1210, 'T1018': T1018.T1018, 'T1016': T1016.T1016, 'T1021': T1021.T1021, - 'T1064': T1064.T1064 + 'T1064': T1064.T1064, + 'T1136': T1136.T1136 } REPORT_NAME = 'new_report' diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index 704ae5994..a49079fa4 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -289,6 +289,22 @@ SCHEMA = { "description": "Data exfiltration is performed over the Command and Control channel." } } + }, + "persistence": { + "title": "Persistence", + "type": "object", + "link": "https://attack.mitre.org/tactics/TA0003/", + "properties": { + "T1136": { + "title": "Create account", + "type": "bool", + "value": True, + "necessary": False, + "link": "https://attack.mitre.org/techniques/T1136", + "description": "Adversaries with a sufficient level of access " + "may create a local system, domain, or cloud tenant account." + } + } } } } diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py new file mode 100644 index 000000000..777476473 --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py @@ -0,0 +1,39 @@ +from monkey_island.cc.services.attack.technique_reports import AttackTechnique +from monkey_island.cc.services.reporting.report import ReportService +from common.utils.attack_utils import ScanStatus +from common.data.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER +from monkey_island.cc.models import Monkey + +__author__ = "shreyamalviya" + + +class T1136(AttackTechnique): + tech_id = "T1136" + unscanned_msg = "Monkey didn't try creating a new user on the network's systems." + scanned_msg = "Monkey tried creating a new user on the network's systems, but failed." + used_msg = "Monkey created a new user on the network's systems." + + @staticmethod + def get_report_data(): + data = {'title': T1136.technique_title()} + + scanned_nodes = ReportService.get_scanned() + status = ScanStatus.UNSCANNED.value + for node in scanned_nodes: + if node['pba_results'] != 'None': + for pba in node['pba_results']: + if pba['name'] in [POST_BREACH_BACKDOOR_USER, + POST_BREACH_COMMUNICATE_AS_NEW_USER]: + status = ScanStatus.USED.value if pba['result'][1]\ + else ScanStatus.SCANNED.value + data.update({ + 'info': [{ + 'machine': { + 'hostname': pba['hostname'], + 'ips': node['ip_addresses'], + }, + 'result': ': '.join([pba['name'], pba['result'][0]]) + }] + }) + data.update(T1136.get_message_and_status(status)) + return data diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py index 3d0220ee2..994334b93 100644 --- a/monkey/monkey_island/cc/services/config_schema.py +++ b/monkey/monkey_island/cc/services/config_schema.py @@ -140,7 +140,7 @@ SCHEMA = { }, ], }, - "post_breach_acts": { + "post_breach_actions": { "title": "Post breach actions", "type": "string", "anyOf": [ @@ -150,7 +150,7 @@ SCHEMA = { "BackdoorUser" ], "title": "Back door user", - "attack_techniques": [] + "attack_techniques": ["T1136"] }, { "type": "string", @@ -158,7 +158,7 @@ SCHEMA = { "CommunicateAsNewUser" ], "title": "Communicate as new user", - "attack_techniques": [] + "attack_techniques": ["T1136"] }, ], }, @@ -375,9 +375,10 @@ SCHEMA = { "type": "array", "uniqueItems": True, "items": { - "$ref": "#/definitions/post_breach_acts" + "$ref": "#/definitions/post_breach_actions" }, "default": [ + "BackdoorUser", "CommunicateAsNewUser" ], "description": "List of actions the Monkey will run post breach" diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1136.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1136.js new file mode 100644 index 000000000..b9c4b6aff --- /dev/null +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1136.js @@ -0,0 +1,43 @@ +import React from 'react'; +import ReactTable from 'react-table'; +import {renderMachineFromSystemData, ScanStatus} from './Helpers' + +class T1136 extends React.Component { + + constructor(props) { + super(props); + } + + static getColumns() { + return ([{ + columns: [ + { Header: 'Machine', + id: 'machine', + accessor: x => renderMachineFromSystemData(x.machine), + style: {'whiteSpace': 'unset'}}, + { Header: 'Result', + id: 'result', + accessor: x => x.result, + style: {'whiteSpace': 'unset'}} + ] + }]) + } + + render() { + return ( +
+
{this.props.data.message}
+
+ {this.props.data.status === ScanStatus.USED ? + : ''} +
+ ); + } +} + +export default T1136;