Address PR feedback - add ATT&CK mapping, change associated_pids to V…

…ec<u32>, remove itertools
MythicAgents · Dec 19, 2024 · 3671ba2 · 3671ba2
1 parent dbffa73
commit 3671ba2
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 6 deletions.
diff --git a/Payload_Type/thanatos/thanatos/agent_code/Cargo.toml b/Payload_Type/thanatos/thanatos/agent_code/Cargo.toml
@@ -31,7 +31,6 @@ rand = "0.8"
 serde_json = "1.0"
 sha2 = "0.9.8"
 netstat2 = "0.9.1"
-itertools = "0.13.0"
 
 [dependencies.minreq]
 version = "2.4.2"

diff --git a/Payload_Type/thanatos/thanatos/agent_code/src/netstat.rs b/Payload_Type/thanatos/thanatos/agent_code/src/netstat.rs
@@ -1,5 +1,4 @@
 use serde::Serialize;
-use itertools::Itertools;
 use crate::agent::AgentTask;
 use crate::mythic_success;
 use netstat2::{get_sockets_info, AddressFamilyFlags, ProtocolFlags, ProtocolSocketInfo};
@@ -23,7 +22,7 @@ pub struct NetworkListingEntry {
     pub remote_port: Option<u16>,
 
     /// Associated PIDs
-    pub associated_pids: String,
+    pub associated_pids: Vec<u32>,
 
     /// State
     pub state: Option<String>,
@@ -44,7 +43,7 @@ pub fn netstat(task: &AgentTask) -> Result<(serde_json::Value), Box<dyn std::err
                 local_port: tcp_si.local_port,
                 remote_addr: Some(tcp_si.remote_addr.to_string()),
                 remote_port: Some(tcp_si.remote_port),
-                associated_pids: Itertools::join(&mut si.associated_pids.iter(), ","),
+                associated_pids: si.associated_pids,
                 state: Some(tcp_si.state.to_string()),
             }),
             ProtocolSocketInfo::Udp(udp_si) => conn.push(NetworkListingEntry {
@@ -53,7 +52,7 @@ pub fn netstat(task: &AgentTask) -> Result<(serde_json::Value), Box<dyn std::err
                 local_port: udp_si.local_port,
                 remote_addr: None,
                 remote_port: None,
-                associated_pids: Itertools::join(&mut si.associated_pids.iter(), ","),
+                associated_pids: si.associated_pids,
                 state: None,
             }),
         }

diff --git a/Payload_Type/thanatos/thanatos/mythic/agent_functions/netstat.py b/Payload_Type/thanatos/thanatos/mythic/agent_functions/netstat.py
@@ -27,7 +27,7 @@ class NetstatCommand(CommandBase):
     version = 1
     author = "@maclarel"
     argument_class = NetstatArguments
-    attackmapping = [""]
+    attackmapping = ["T1049"]
     attributes = CommandAttributes(
         supported_os=[SupportedOS.Linux, SupportedOS.Windows],
     )