Powershell query changed to parse array of executed command dicts

guardicore · Jun 26, 2019 · 3e9dcd3 · 3e9dcd3
1 parent fea8567
commit 3e9dcd3
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 18 deletions.
diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py
@@ -66,7 +66,7 @@ def _exploit_host(self):
             "xp_cmdshell \"<nul set /p=, ^\'%s^\') >>%s\"" % (dst_path, tmp_file_path)]
         MSSQLExploiter.execute_command(cursor, commands)
         MSSQLExploiter.run_file(cursor, tmp_file_path)
-        self.add_powershell_cmd(' '.join(commands))
+        self.add_executed_cmd(' '.join(commands))
         # Form monkey's command in a file
         monkey_args = tools.build_monkey_commandline(self.host,
                                                      tools.get_monkey_depth() - 1,

diff --git a/monkey/infection_monkey/exploit/web_rce.py b/monkey/infection_monkey/exploit/web_rce.py
@@ -338,7 +338,7 @@ def upload_monkey(self, url, commands=None):
         command = self.get_command(paths['dest_path'], http_path, commands)
 
         resp = self.exploit(url, command)
-        self.add_powershell_cmd(command)
+        self.add_executed_cmd(command)
         resp = self.run_backup_commands(resp, url, paths['dest_path'], http_path)
 
         http_thread.join(DOWNLOAD_TIMEOUT)

diff --git a/monkey/infection_monkey/exploit/weblogic.py b/monkey/infection_monkey/exploit/weblogic.py
@@ -20,8 +20,8 @@
 LOG = logging.getLogger(__name__)
 # How long server waits for get request in seconds
 SERVER_TIMEOUT = 4
-# How long should we wait after each request in seconds
-REQUEST_DELAY = 0.1
+# How long should be wait after each request in seconds
+REQUEST_DELAY = 0.0001
 # How long to wait for a sign(request from host) that server is vulnerable. In seconds
 REQUEST_TIMEOUT = 5
 # How long to wait for response in exploitation. In seconds

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py
@@ -13,8 +13,8 @@ class T1003(AttackTechnique):
     used_msg = "Monkey successfully obtained some credentials from systems on the network."
 
     query = {'telem_category': 'system_info_collection', '$and': [{'data.credentials': {'$exists': True}},
-                                                              # $gt: {} checks if field is not an empty object
-                                                              {'data.credentials': {'$gt': {}}}]}
+                                                                  # $gt: {} checks if field is not an empty object
+                                                                  {'data.credentials': {'$gt': {}}}]}
 
     @staticmethod
     def get_report_data():

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1059.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1059.py
@@ -14,10 +14,13 @@ class T1059(AttackTechnique):
 
     query = [{'$match': {'telem_category': 'exploit',
                          'data.info.executed_cmds': {'$exists': True, '$ne': []}}},
+             {'$unwind': '$data.info.executed_cmds'},
+             {'$sort': {'data.info.executed_cmds.powershell': 1}},
              {'$project': {'_id': 0,
                            'machine': '$data.machine',
                            'info': '$data.info'}},
-             {'$group': {'_id': '$machine', 'data': {'$push': '$$ROOT'}}}]
+             {'$group': {'_id': '$machine', 'data': {'$push': '$$ROOT'}}},
+             {'$project': {'_id': 0, 'data': {'$arrayElemAt': ['$data', 0]}}}]
 
     @staticmethod
     def get_report_data():

diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1086.py
@@ -12,11 +12,16 @@ class T1086(AttackTechnique):
     scanned_msg = ""
     used_msg = "Monkey successfully ran powershell commands on exploited machines in the network."
 
-    query = [{'$match': {'telem_type': 'exploit',
-                         'data.info.executed_cmds.example': {'$elemMatch': {'powershell': True}}}},
-             {'$project': {'_id': 0,
-                           'machine': '$data.machine',
+    query = [{'$match': {'telem_category': 'exploit',
+                         'data.info.executed_cmds': {'$elemMatch': {'powershell': True}}}},
+             {'$project': {'machine': '$data.machine',
                            'info': '$data.info'}},
+             {'$project': {'_id': 0,
+                           'machine': 1,
+                           'info.finished': 1,
+                           'info.executed_cmds': {'$filter': {'input': '$info.executed_cmds',
+                                                              'as': 'command',
+                                                              'cond': {'$eq': ['$$command.powershell', True]}}}}},
              {'$group': {'_id': '$machine', 'data': {'$push': '$$ROOT'}}}]
 
     @staticmethod

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1059.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1059.js
@@ -14,14 +14,13 @@ class T1059 extends React.Component {
     return ([{
       Header: 'Example commands used',
       columns: [
-        {Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.data[0].machine), style: { 'whiteSpace': 'unset'}, width: 160 },
-        {Header: 'Approx. Time', id: 'time', accessor: x => x.data[0].info.finished, style: { 'whiteSpace': 'unset' }},
-        {Header: 'Command', id: 'command', accessor: x => x.data[0].info.executed_cmds[0].cmd, style: { 'whiteSpace': 'unset' }},
+        {Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.data.machine), style: { 'whiteSpace': 'unset'}, width: 160 },
+        {Header: 'Approx. Time', id: 'time', accessor: x => x.data.info.finished, style: { 'whiteSpace': 'unset' }},
+        {Header: 'Command', id: 'command', accessor: x => x.data.info.executed_cmds.cmd, style: { 'whiteSpace': 'unset' }},
         ]
     }])};
 
   render() {
-    console.log(this.props.data);
     return (
       <div>
         <div>{this.props.data.message}</div>

diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1086.js
@@ -1,7 +1,7 @@
 import React from 'react';
 import '../../../styles/Collapse.scss'
 import ReactTable from "react-table";
-import { RenderMachine } from "./Helpers"
+import { renderMachine } from "./Helpers"
 
 
 class T1086 extends React.Component {
@@ -14,9 +14,9 @@ class T1086 extends React.Component {
     return ([{
       Header: 'Example Powershell commands used',
       columns: [
-        {Header: 'Machine', id: 'machine', accessor: x => RenderMachine(x.data[0].machine), style: { 'whiteSpace': 'unset'}, width: 160 },
+        {Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.data[0].machine), style: { 'whiteSpace': 'unset'}, width: 160 },
         {Header: 'Approx. Time', id: 'time', accessor: x => x.data[0].info.finished, style: { 'whiteSpace': 'unset' }},
-        {Header: 'Command', id: 'command', accessor: x => x.data[0].info.executed_cmds.powershell, style: { 'whiteSpace': 'unset' }},
+        {Header: 'Command', id: 'command', accessor: x => x.data[0].info.executed_cmds[0].cmd, style: { 'whiteSpace': 'unset' }},
         ]
     }])};