def deploy_ability(test_executor, event_loop):
ability = AbilitySchema().load(dict(ability_id='123',
tactic='persistence',
technique_id='auto-generated',
technique_name='auto-generated',
name='test deploy command',
description='test ability',
executors=[ExecutorSchema().dump(test_executor)]))
event_loop.run_until_complete(BaseService.get_service('data_svc').store(ability))
return ability
def test_ability(test_executor, loop):
ability = AbilitySchema().load(
dict(ability_id='123',
tactic='discovery',
technique_id='auto-generated',
technique_name='auto-generated',
name='Manual Command',
description='test ability',
executors=[ExecutorSchema().dump(test_executor)]))
loop.run_until_complete(BaseService.get_service('data_svc').store(ability))
return ability
class LinkSchema(ma.Schema):
class Meta:
unknown = ma.EXCLUDE
id = ma.fields.String(missing='')
paw = ma.fields.String()
command = ma.fields.String()
status = ma.fields.Integer(missing=-3)
score = ma.fields.Integer(missing=0)
jitter = ma.fields.Integer(missing=0)
decide = ma.fields.DateTime(format='%Y-%m-%d %H:%M:%S')
pin = ma.fields.Integer(missing=0)
pid = ma.fields.String()
facts = ma.fields.List(ma.fields.Nested(FactSchema()))
relationships = ma.fields.List(ma.fields.Nested(RelationshipSchema()))
used = ma.fields.List(ma.fields.Nested(FactSchema()))
unique = ma.fields.String()
collect = ma.fields.DateTime(format='%Y-%m-%d %H:%M:%S', default='')
finish = ma.fields.String()
ability = ma.fields.Nested(AbilitySchema())
executor = ma.fields.Nested(ExecutorSchema())
cleanup = ma.fields.Integer(missing=0)
visibility = ma.fields.Nested(VisibilitySchema)
host = ma.fields.String(missing=None)
output = ma.fields.String()
deadman = ma.fields.Boolean()
agent_reported_time = ma.fields.DateTime(format='%Y-%m-%d %H:%M:%S',
missing=None)
@ma.pre_load()
def fix_ability(self, link, **_):
if 'ability' in link and isinstance(link['ability'], Ability):
ability = link.pop('ability')
link['ability'] = ability.schema.dump(ability)
return link
@ma.pre_load()
def fix_executor(self, link, **_):
if 'executor' in link and isinstance(link['executor'], Executor):
executor = link.pop('executor')
link['executor'] = executor.schema.dump(executor)
return link
@ma.post_load()
def build_link(self, data, **_):
return Link(**data)
@ma.post_dump()
def prepare_dump(self, data, **_):
if data.get('agent_reported_time', None) is None:
data.pop('agent_reported_time', None)
return data
def build_ability(self, data: dict, executor: Executor):
if not data.get('ability_id'):
data['ability_id'] = str(uuid.uuid4())
if not data.get('tactic'):
data['tactic'] = 'auto-generated'
if not data.get('technique_id'):
data['technique_id'] = 'auto-generated'
if not data.get('technique_name'):
data['technique_name'] = 'auto-generated'
if not data.get('name'):
data['name'] = 'Manual Command'
if not data.get('description'):
data['description'] = 'Manual command ability'
data['executors'] = [ExecutorSchema().dump(executor)]
ability = AbilitySchema().load(data)
return ability
def replaced_ability_payload(test_ability):
ability_data = test_ability.schema.dump(test_ability)
test_executor_linux = Executor(name='sh',
platform='linux',
command='whoami')
test_requirement = Requirement(
module='plugins.stockpile.app.requirements.paw_provenance',
relationship_match=[{
'source': 'host.user.name'
}])
ability_data.update(
dict(name='replaced test ability',
tactic='collection',
technique_name='discovery',
technique_id='2',
executors=[ExecutorSchema().dump(test_executor_linux)],
plugin='',
requirements=[RequirementSchema().dump(test_requirement)]))
return ability_data
def new_ability_payload():
test_executor_linux = Executor(name='sh',
platform='linux',
command='whoami')
return {
'name': 'new test ability',
'ability_id': '456',
'tactic': 'collection',
'technique_name': 'collection',
'technique_id': '1',
'executors': [ExecutorSchema().dump(test_executor_linux)],
'access': {},
'additional_info': {},
'buckets': ['collection'],
'description': '',
'privilege': '',
'repeatable': False,
'requirements': [],
'singleton': False,
'plugin': ''
}
def test_executor(test_agent):
return ExecutorSchema().load(
dict(timeout=60,
platform=test_agent.platform,
name='linux',
command='ls'))
class LinkSchema(ma.Schema):
class Meta:
unknown = ma.EXCLUDE
id = ma.fields.String(missing='')
paw = ma.fields.String()
command = ma.fields.String()
status = ma.fields.Integer(missing=-3)
score = ma.fields.Integer(missing=0)
jitter = ma.fields.Integer(missing=0)
decide = ma.fields.DateTime(format=BaseObject.TIME_FORMAT)
pin = ma.fields.Integer(missing=0)
pid = ma.fields.String()
facts = ma.fields.List(ma.fields.Nested(FactSchema()))
relationships = ma.fields.List(ma.fields.Nested(RelationshipSchema()))
used = ma.fields.List(ma.fields.Nested(FactSchema()))
unique = ma.fields.String()
collect = ma.fields.DateTime(format=BaseObject.TIME_FORMAT, default='')
finish = ma.fields.String()
ability = ma.fields.Nested(AbilitySchema())
executor = ma.fields.Nested(ExecutorSchema())
cleanup = ma.fields.Integer(missing=0)
visibility = ma.fields.Nested(VisibilitySchema())
host = ma.fields.String(missing=None)
output = ma.fields.String()
deadman = ma.fields.Boolean()
agent_reported_time = ma.fields.DateTime(format=BaseObject.TIME_FORMAT,
missing=None)
@ma.pre_load()
def fix_ability(self, link, **_):
if 'ability' in link and isinstance(link['ability'], Ability):
ability = link.pop('ability')
link['ability'] = ability.schema.dump(ability)
return link
@ma.pre_load()
def fix_executor(self, link, **_):
if 'executor' in link and isinstance(link['executor'], Executor):
executor = link.pop('executor')
link['executor'] = executor.schema.dump(executor)
return link
@ma.pre_load()
def remove_properties(self, data, **_):
data.pop('unique', None)
data.pop('decide', None)
data.pop('pid', None)
data.pop('facts', None)
data.pop('collect', None)
data.pop('finish', None)
data.pop('visibility', None)
data.pop('output', None)
data.pop('used.unique', None)
return data
@ma.post_load()
def build_link(self, data, **kwargs):
return None if kwargs.get('partial') is True else Link(**data)
@ma.post_dump()
def prepare_dump(self, data, **_):
if data.get('agent_reported_time', None) is None:
data.pop('agent_reported_time', None)
return data
async def load_executors_from_list(self, executors: list):
return [ExecutorSchema().load(entry) for entry in executors]
def build_executor(self, data: dict, agent: Agent):
if not data.get('timeout'):
data['timeout'] = 60
data['platform'] = agent.platform
executor = ExecutorSchema().load(data)
return executor