2269 update reports with exploitation events

docs/content/development/adding-exploits.md

@@ -92,14 +92,14 @@ A good example of an exploiter class is the [`SSHExploiter`](https://github.com/
 
 #### Reporting
 
-1. In the [report generation pipeline](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py), define how your **exploiter's data** should be processed and displayed in the report. Use the default `ExploitProcessor` or create a custom exploit processor if needed.
+1. In the [report generation pipeline](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py), define how your **exploiter** should be displayed in the report.
 
 ```py
 class ExploiterDescriptorEnum(Enum):
-    SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
+    SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter")
     ...
-    ZEROLOGON = ExploiterDescriptor("ZerologonExploiter", "Zerologon Exploiter", ZerologonExploitProcessor)
-    MYNEWEXPLOITER = ExploitDescriptor("MyNewExploiter", "My New Eexploiter", ExploitProcessor)    <=================================
+    ZEROLOGON = ExploiterDescriptor("ZerologonExploiter", "Zerologon Exploiter")
+    MYNEWEXPLOITER = ExploitDescriptor("MyNewExploiter", "My New Exploiter")    <=================================
 ```
 
 2. Describe how the Monkey Island should **display your exploiter's results** by defining the UI contents in the [security report](https://github.com/guardicore/monkey/blob/develop/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js).

monkey/monkey_island/cc/services/initialize.py

@@ -93,6 +93,7 @@ def initialize_services(container: DIContainer, data_dir: Path):
     ReportService.initialize(
         container.resolve(AWSService),
         container.resolve(IAgentConfigurationRepository),
+        container.resolve(IAgentEventRepository),
         container.resolve(ICredentialsRepository),
         container.resolve(IMachineRepository),
         container.resolve(INodeRepository),

monkey/monkey_island/cc/services/node.py

@@ -239,10 +239,6 @@ def get_monkey_by_guid(monkey_guid):
     def get_monkey_by_ip(ip_address):
         return mongo.db.monkey.find_one({"ip_addresses": ip_address})
 
-    @staticmethod
-    def get_node_by_ip(ip_address):
-        return mongo.db.node.find_one({"ip_addresses": ip_address})
-
     @staticmethod
     def get_node_by_id(node_id):
         return mongo.db.node.find_one({"_id": ObjectId(node_id)})
@@ -322,13 +318,6 @@ def is_any_monkey_exists():
     def is_monkey_finished_running():
         return NodeService.is_any_monkey_exists() and not NodeService.is_any_monkey_alive()
 
-    @staticmethod
-    def get_node_or_monkey_by_ip(ip_address):
-        node = NodeService.get_node_by_ip(ip_address)
-        if node is not None:
-            return node
-        return NodeService.get_monkey_by_ip(ip_address)
-
     @staticmethod
     def get_node_or_monkey_by_id(node_id):
         node = NodeService.get_node_by_id(node_id)

monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py

@@ -1,42 +1,23 @@
 from dataclasses import dataclass
 from enum import Enum
-from typing import Type
-
-from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.cred_exploit import (  # noqa: E501
-    CredExploitProcessor,
-)
-from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import (  # noqa: E501
-    ExploitProcessor,
-)
-from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import (  # noqa: E501
-    Log4ShellProcessor,
-)
-from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.zerologon import (  # noqa: E501
-    ZerologonExploitProcessor,
-)
 
 
 @dataclass
 class ExploiterDescriptor:
     # Must match with class names of exploiters in Infection Monkey code
     class_name: str
     display_name: str
-    processor: Type[object] = ExploitProcessor
 
 
 class ExploiterDescriptorEnum(Enum):
-    SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter", CredExploitProcessor)
-    WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter", CredExploitProcessor)
-    SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter", CredExploitProcessor)
-    HADOOP = ExploiterDescriptor("HadoopExploiter", "Hadoop/Yarn Exploiter", ExploitProcessor)
-    MSSQL = ExploiterDescriptor("MSSQLExploiter", "MSSQL Exploiter", ExploitProcessor)
-    ZEROLOGON = ExploiterDescriptor(
-        "ZerologonExploiter", "Zerologon Exploiter", ZerologonExploitProcessor
-    )
-    POWERSHELL = ExploiterDescriptor(
-        "PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor
-    )
-    LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4Shell Exploiter", Log4ShellProcessor)
+    SMB = ExploiterDescriptor("SmbExploiter", "SMB Exploiter")
+    WMI = ExploiterDescriptor("WmiExploiter", "WMI Exploiter")
+    SSH = ExploiterDescriptor("SSHExploiter", "SSH Exploiter")
+    HADOOP = ExploiterDescriptor("HadoopExploiter", "Hadoop/Yarn Exploiter")
+    MSSQL = ExploiterDescriptor("MSSQLExploiter", "MSSQL Exploiter")
+    ZEROLOGON = ExploiterDescriptor("ZerologonExploiter", "Zerologon Exploiter")
+    POWERSHELL = ExploiterDescriptor("PowerShellExploiter", "PowerShell Remoting Exploiter")
+    LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4Shell Exploiter")
 
     @staticmethod
     def get_by_class_name(class_name: str) -> ExploiterDescriptor:

monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_report_info.py

@@ -1,6 +1,6 @@
 from dataclasses import dataclass
 from enum import Enum
-from typing import List, Union
+from typing import Union
 
 
 class CredentialType(Enum):
@@ -14,11 +14,5 @@ class ExploiterReportInfo:
     machine: str
     ip_address: str
     type: str
-    username: Union[str, None] = None
     credential_type: Union[str, None] = None
-    ssh_key: Union[str, None] = None
-    password: Union[str, None] = None
-    port: Union[str, None] = None
-    paths: Union[List[str], None] = None
     password_restored: Union[bool, None] = None
-    service: Union[str, None] = None

monkey/monkey_island/cc/services/reporting/report.py

@@ -1,9 +1,12 @@
 import functools
 import ipaddress
 import logging
+from collections import defaultdict
+from dataclasses import asdict
 from itertools import chain, product
-from typing import List, Optional
+from typing import Dict, Iterable, List, Optional
 
+from common.agent_events import ExploitationEvent, PasswordRestorationEvent
 from common.network.network_range import NetworkRange
 from common.network.network_utils import get_my_ip_addresses_legacy, get_network_interfaces
 from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst
@@ -12,6 +15,7 @@
 from monkey_island.cc.models.report import get_report, save_report
 from monkey_island.cc.repository import (
     IAgentConfigurationRepository,
+    IAgentEventRepository,
     ICredentialsRepository,
     IMachineRepository,
     INodeRepository,
@@ -29,14 +33,15 @@
 from .. import AWSService
 from . import aws_exporter
 from .issue_processing.exploit_processing.exploiter_descriptor_enum import ExploiterDescriptorEnum
-from .issue_processing.exploit_processing.processors.exploit import ExploiterReportInfo
+from .issue_processing.exploit_processing.exploiter_report_info import ExploiterReportInfo
 
 logger = logging.getLogger(__name__)
 
 
 class ReportService:
     _aws_service: Optional[AWSService] = None
     _agent_configuration_repository: Optional[IAgentConfigurationRepository] = None
+    _agent_event_repository: Optional[IAgentEventRepository] = None
     _credentials_repository: Optional[ICredentialsRepository] = None
     _machine_repository: Optional[IMachineRepository] = None
     _node_repository: Optional[INodeRepository] = None
@@ -49,12 +54,14 @@ def initialize(
         cls,
         aws_service: AWSService,
         agent_configuration_repository: IAgentConfigurationRepository,
+        agent_event_repository: IAgentEventRepository,
         credentials_repository: ICredentialsRepository,
         machine_repository: IMachineRepository,
         node_repository: INodeRepository,
     ):
         cls._aws_service = aws_service
         cls._agent_configuration_repository = agent_configuration_repository
+        cls._agent_event_repository = agent_event_repository
         cls._credentials_repository = credentials_repository
         cls._machine_repository = machine_repository
         cls._node_repository = node_repository
@@ -142,39 +149,58 @@ def get_scanners_of_machine(cls, machine: Machine) -> List[Machine]:
         for node in nodes:
             for dest, conn in node.connections.items():
                 if CommunicationType.SCANNED in conn and dest == machine.id:
-                    scanner_machine = ReportService._machine_repository.get_machine_by_id(
-                        node.machine_id
-                    )
+                    scanner_machine = cls._machine_repository.get_machine_by_id(node.machine_id)
                     scanner_machines.add(scanner_machine)
 
         return list(scanner_machines)
 
-    @staticmethod
-    def process_exploit(exploit) -> ExploiterReportInfo:
-        exploiter_type = exploit["data"]["exploiter"]
-        exploiter_descriptor = ExploiterDescriptorEnum.get_by_class_name(exploiter_type)
-        processor = exploiter_descriptor.processor()
-        exploiter_info = processor.get_exploit_info_by_dict(exploiter_type, exploit)
-        return exploiter_info
+    @classmethod
+    def process_exploit_event(
+        cls,
+        exploitation_event: ExploitationEvent,
+        password_restored: Dict[ipaddress.IPv4Address, bool],
+    ) -> ExploiterReportInfo:
+        if not cls._machine_repository:
+            raise RuntimeError("Machine repository does not exist")
+
+        target_machine = cls._machine_repository.get_machines_by_ip(exploitation_event.target)[0]
+        return ExploiterReportInfo(
+            target_machine.hostname,
+            str(exploitation_event.target),
+            exploitation_event.exploiter_name,
+            password_restored=password_restored[exploitation_event.target],
+        )
 
     @staticmethod
-    def get_exploits() -> List[dict]:
-        query = [
-            {"$match": {"telem_category": "exploit", "data.exploitation_result": True}},
-            {
-                "$group": {
-                    "_id": {"ip_address": "$data.machine.ip_addr"},
-                    "data": {"$first": "$$ROOT"},
-                }
-            },
-            {"$replaceRoot": {"newRoot": "$data"}},
-        ]
-        exploits = []
-        for exploit in mongo.db.telemetry.aggregate(query):
-            new_exploit = ReportService.process_exploit(exploit)
-            if new_exploit not in exploits:
-                exploits.append(new_exploit.__dict__)
-        return exploits
+    def filter_single_exploit_per_ip(
+        exploitation_events: Iterable[ExploitationEvent],
+    ) -> Iterable[ExploitationEvent]:
+        """
+        Yields the first exploit for each target IP
+        """
+        ips = set()
+        for exploit in exploitation_events:
+            if exploit.target not in ips:
+                ips.add(exploit.target)
+                yield exploit
+
+    @classmethod
+    def get_exploits(cls) -> List[dict]:
+        if not cls._agent_event_repository:
+            raise RuntimeError("Agent event repository does not exist")
+
+        # Get the successful exploits
+        exploits = cls._agent_event_repository.get_events_by_type(ExploitationEvent)
+        successful_exploits = filter(lambda x: x.success, exploits)
+        filtered_exploits = ReportService.filter_single_exploit_per_ip(successful_exploits)
+
+        zerologon_events = cls._agent_event_repository.get_events_by_type(PasswordRestorationEvent)
+        password_restored = defaultdict(
+            lambda: None, {e.target: e.success for e in zerologon_events}
+        )
+
+        # Convert the ExploitationEvent into an ExploiterReportInfo
+        return [asdict(cls.process_exploit_event(e, password_restored)) for e in filtered_exploits]
 
     @staticmethod
     def get_monkey_subnets(monkey_guid):