forked from p15670423/monkey
Island: change ransomware report table to return the amount of files encrypted and the number of total encryption attempts
This commit is contained in:
VakarisZ
parent
10a375ea66
commit
f8cbd4cb33
|
|
@ -8,19 +8,36 @@ from monkey_island.cc.services.reporting.report import ReportService
|
|||
def get_encrypted_files_table():
|
||||
query = [
|
||||
{"$match": {"telem_category": "file_encryption"}},
|
||||
{"$unwind": "$data.files"},
|
||||
{"$addFields": {"total_attempts": {"$size": "$data.files"}}},
|
||||
{
|
||||
"$addFields": {
|
||||
"successful_encryptions": {
|
||||
"$filter": {
|
||||
"input": "$data.files",
|
||||
"as": "files",
|
||||
"cond": {"$eq": ["$$files.success", True]},
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{"$addFields": {"successful_encryptions": {"$size": "$successful_encryptions"}}},
|
||||
{
|
||||
"$group": {
|
||||
"_id": {"monkey_guid": "$monkey_guid", "files_encrypted": "$data.files.success"}
|
||||
"_id": {
|
||||
"monkey_guid": "$monkey_guid",
|
||||
"successful_encryptions": "$successful_encryptions",
|
||||
"total_attempts": "$total_attempts",
|
||||
}
|
||||
}
|
||||
},
|
||||
{"$replaceRoot": {"newRoot": "$_id"}},
|
||||
{"$sort": {"files_encrypted": -1}},
|
||||
{"$sort": {"successful_encryptions": -1}},
|
||||
{
|
||||
"$group": {
|
||||
"_id": {"monkey_guid": "$monkey_guid"},
|
||||
"monkey_guid": {"$first": "$monkey_guid"},
|
||||
"files_encrypted": {"$first": "$files_encrypted"},
|
||||
"total_attempts": {"$first": "$total_attempts"},
|
||||
"successful_encryptions": {"$first": "$successful_encryptions"},
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -34,7 +51,8 @@ def get_encrypted_files_table():
|
|||
{
|
||||
"$project": {
|
||||
"monkey": {"$arrayElemAt": ["$monkey", 0]},
|
||||
"files_encrypted": "$files_encrypted",
|
||||
"total_attempts": "$total_attempts",
|
||||
"successful_encryptions": "$successful_encryptions",
|
||||
}
|
||||
},
|
||||
]
|
||||
|
|
|
|||
|
|
@ -46,8 +46,18 @@ def test_get_encrypted_files_table(fake_mongo, monkeypatch):
|
|||
results = get_encrypted_files_table()
|
||||
|
||||
assert results == [
|
||||
{"hostname": "test-pc-2", "exploits": ["Manual execution"], "files_encrypted": True},
|
||||
{"hostname": "WinDev2010Eval", "exploits": ["SMB Exploiter"], "files_encrypted": True},
|
||||
{
|
||||
"hostname": "test-pc-2",
|
||||
"exploits": ["Manual execution"],
|
||||
"successful_encryptions": 3,
|
||||
"total_attempts": 3,
|
||||
},
|
||||
{
|
||||
"hostname": "WinDev2010Eval",
|
||||
"exploits": ["SMB Exploiter"],
|
||||
"successful_encryptions": 1,
|
||||
"total_attempts": 1,
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
|
|
@ -68,7 +78,12 @@ def test_get_encrypted_files_table__only_errors(fake_mongo, monkeypatch):
|
|||
results = get_encrypted_files_table()
|
||||
|
||||
assert results == [
|
||||
{"hostname": "test-pc-2", "exploits": ["Manual execution"], "files_encrypted": False}
|
||||
{
|
||||
"hostname": "test-pc-2",
|
||||
"exploits": ["Manual execution"],
|
||||
"successful_encryptions": 0,
|
||||
"total_attempts": 1,
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue