def test_antivirus_existence(process_list_json, monkey_guid):
current_monkey = Monkey.get_single_monkey_by_guid(monkey_guid)
process_list_event = Event.create_event(
title="Process list",
message="Monkey on {} scanned the process list".format(
current_monkey.hostname),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL)
events = [process_list_event]
av_processes = filter_av_processes(process_list_json["process_list"])
for process in av_processes:
events.append(
Event.create_event(
title="Found AV process",
message=
"The process '{}' was recognized as an Anti Virus process. Process "
"details: {}".format(process[1]['name'],
json.dumps(process[1])),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL))
if len(av_processes) > 0:
test_status = zero_trust_consts.STATUS_PASSED
else:
test_status = zero_trust_consts.STATUS_FAILED
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
status=test_status,
events=events)
def test_machine_exploited(current_monkey, exploit_successful, exploiter, target_ip, timestamp):
events = [
Event.create_event(
title="Exploit attempt",
message="Monkey on {} attempted to exploit {} using {}.".format(
current_monkey.hostname,
target_ip,
exploiter),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=timestamp
)
]
status = zero_trust_consts.STATUS_PASSED
if exploit_successful:
events.append(
Event.create_event(
title="Exploit success!",
message="Monkey on {} successfully exploited {} using {}.".format(
current_monkey.hostname,
target_ip,
exploiter),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=timestamp)
)
status = zero_trust_consts.STATUS_FAILED
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_MACHINE_EXPLOITED,
status=status,
events=events
)
add_malicious_activity_to_timeline(events)
def test_open_data_endpoints(telemetry_json):
services = telemetry_json["data"]["machine"]["services"]
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
found_http_server_status = zero_trust_consts.STATUS_PASSED
found_elastic_search_server = zero_trust_consts.STATUS_PASSED
events = [
Event.create_event(
title="Scan Telemetry",
message="Monkey on {} tried to perform a network scan, the target was {}.".format(
current_monkey.hostname,
telemetry_json["data"]["machine"]["ip_addr"]),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=telemetry_json["timestamp"]
)
]
for service_name, service_data in list(services.items()):
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Scanned service: {}.".format(service_name),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
if service_name in HTTP_SERVERS_SERVICES_NAMES:
found_http_server_status = zero_trust_consts.STATUS_FAILED
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
service_data["display_name"],
telemetry_json["data"]["machine"]["ip_addr"],
json.dumps(service_data)
),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
if service_name == ES_SERVICE:
found_elastic_search_server = zero_trust_consts.STATUS_FAILED
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
service_data["display_name"],
telemetry_json["data"]["machine"]["ip_addr"],
json.dumps(service_data)
),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
status=found_http_server_status,
events=events
)
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC,
status=found_elastic_search_server,
events=events
)
add_malicious_activity_to_timeline(events)
def check_tunneling_violation(tunnel_telemetry_json):
if tunnel_telemetry_json["data"]["proxy"] is not None:
# Monkey is tunneling, create findings
tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(
tunnel_telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
tunnel_telemetry_json["monkey_guid"])
tunneling_events = [
Event.create_event(
title="Tunneling event",
message="Monkey on {hostname} tunneled traffic through {proxy}."
.format(hostname=current_monkey.hostname,
proxy=tunnel_host_ip),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=tunnel_telemetry_json["timestamp"],
)
]
MonkeyZTFindingService.create_or_add_to_existing(
test=zero_trust_consts.TEST_TUNNELING,
status=zero_trust_consts.STATUS_FAILED,
events=tunneling_events,
)
MonkeyZTFindingService.add_malicious_activity_to_timeline(
tunneling_events)
def test_create_findings_for_all_done_pairs(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
all_subnets = [FIRST_SUBNET, SECOND_SUBNET, THIRD_SUBNET]
monkey = Monkey(guid=str(uuid.uuid4()), ip_addresses=[FIRST_SUBNET])
# no findings
self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 0)
# This is like the monkey is done and sent done telem
create_or_add_findings_for_all_pairs(all_subnets, monkey)
# There are 2 subnets in which the monkey is NOT
self.assertEquals(
len(Finding.objects(test=TEST_SEGMENTATION, status=STATUS_PASSED)),
2)
# This is a monkey from 2nd subnet communicated with 1st subnet.
SegmentationFinding.create_or_add_to_existing_finding(
[FIRST_SUBNET, SECOND_SUBNET], STATUS_FAILED,
Event.create_event(title="sdf",
message="asd",
event_type=EVENT_TYPE_MONKEY_NETWORK))
self.assertEquals(
len(Finding.objects(test=TEST_SEGMENTATION, status=STATUS_PASSED)),
1)
self.assertEquals(
len(Finding.objects(test=TEST_SEGMENTATION, status=STATUS_FAILED)),
1)
self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 2)
def test_save_finding_sanity(self):
assert len(
Finding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 0
event_example = Event.create_event(
title="Event Title",
message="event message",
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
)
monkey_details_example = MonkeyFindingDetails()
monkey_details_example.events.append(event_example)
monkey_details_example.save()
MonkeyFinding.save_finding(
test=zero_trust_consts.TEST_SEGMENTATION,
status=zero_trust_consts.STATUS_FAILED,
detail_ref=monkey_details_example,
)
assert len(
MonkeyFinding.objects(
test=zero_trust_consts.TEST_SEGMENTATION)) == 1
assert len(
MonkeyFinding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
assert len(
Finding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
def test_create_or_add_to_existing_2_tests_already_exist(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
test = zero_trust_consts.TEST_MALICIOUS_ACTIVITY_TIMELINE
status = zero_trust_consts.STATUS_VERIFY
event = Event.create_event("t", "t",
zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
events = [event]
self.assertEqual(len(Finding.objects(test=test, status=status)), 0)
Finding.save_finding(test, status, events)
self.assertEqual(len(Finding.objects(test=test, status=status)), 1)
self.assertEqual(
len(Finding.objects(test=test, status=status)[0].events), 1)
AggregateFinding.create_or_add_to_existing(test, status, events)
self.assertEqual(len(Finding.objects(test=test, status=status)), 1)
self.assertEqual(
len(Finding.objects(test=test, status=status)[0].events), 2)
Finding.save_finding(test, status, events)
self.assertEqual(len(Finding.objects(test=test, status=status)), 2)
with self.assertRaises(AssertionError):
AggregateFinding.create_or_add_to_existing(test, status, events)
def get_segmentation_done_event(current_monkey, subnet_pair):
return Event.create_event(title="Segmentation test done",
message=SEGMENTATION_DONE_EVENT_TEXT.format(
hostname=current_monkey.hostname,
src_seg=subnet_pair[0],
dst_seg=subnet_pair[1]),
event_type=EVENT_TYPE_MONKEY_NETWORK)
def get_result_event(current_monkey, message, success):
message_format = COMM_AS_NEW_USER_SUCCEEDED_FORMAT if success else COMM_AS_NEW_USER_FAILED_FORMAT
return Event.create_event(
title="Communicate as new user",
message=message_format.format(current_monkey.hostname, message),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
def get_attempt_event(current_monkey):
tried_to_communicate_event = Event.create_event(
title="Communicate as new user",
message=
"Monkey on {} tried to create a new user and communicate from it.".
format(current_monkey.hostname),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
return tried_to_communicate_event
def test_create_event(self):
with pytest.raises(ValidationError):
_ = Event.create_event(
title=None, # title required
message="bla bla",
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
with pytest.raises(ValidationError):
_ = Event.create_event(
title="skjs",
message="bla bla",
event_type="Unknown" # Unknown event type
)
# Assert that nothing is raised.
_ = Event.create_event(
title="skjs",
message="bla bla",
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
def test_save_finding_sanity(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 0)
event_example = Event.create_event(
title="Event Title", message="event message", event_type=EVENT_TYPE_MONKEY_NETWORK)
Finding.save_finding(test=TEST_SEGMENTATION, status=STATUS_FAILED, events=[event_example])
self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 1)
self.assertEquals(len(Finding.objects(status=STATUS_FAILED)), 1)
def test_create_event(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
with self.assertRaises(ValidationError):
_ = Event.create_event(
title=None, # title required
message="bla bla",
event_type=EVENT_TYPE_MONKEY_NETWORK)
with self.assertRaises(ValidationError):
_ = Event.create_event(
title="skjs",
message="bla bla",
event_type="Unknown" # Unknown event type
)
# Assert that nothing is raised.
_ = Event.create_event(title="skjs",
message="bla bla",
event_type=EVENT_TYPE_MONKEY_NETWORK)
def get_segmentation_violation_event(current_monkey, source_subnet, target_ip,
target_subnet):
return Event.create_event(
title="Segmentation event",
message=SEGMENTATION_VIOLATION_EVENT_TEXT.format(
hostname=current_monkey.hostname,
source_ip=get_ip_if_in_subnet(
current_monkey.ip_addresses,
NetworkRange.get_range_obj(source_subnet)),
source_seg=source_subnet,
target_ip=target_ip,
target_seg=target_subnet),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
def test_create_or_add_to_existing_finding(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
first_segment = "1.1.1.0/24"
second_segment = "2.2.2.0-2.2.2.254"
third_segment = "3.3.3.3"
event = Event.create_event("bla", "bla",
zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
SegmentationFinding.create_or_add_to_existing_finding(
subnets=[first_segment, second_segment],
status=zero_trust_consts.STATUS_FAILED,
segmentation_event=event)
self.assertEqual(len(SegmentationFinding.objects()), 1)
self.assertEqual(len(SegmentationFinding.objects()[0].events), 1)
SegmentationFinding.create_or_add_to_existing_finding(
# !!! REVERSE ORDER
subnets=[second_segment, first_segment],
status=zero_trust_consts.STATUS_FAILED,
segmentation_event=event)
self.assertEqual(len(SegmentationFinding.objects()), 1)
self.assertEqual(len(SegmentationFinding.objects()[0].events), 2)
SegmentationFinding.create_or_add_to_existing_finding(
# !!! REVERSE ORDER
subnets=[first_segment, third_segment],
status=zero_trust_consts.STATUS_FAILED,
segmentation_event=event)
self.assertEqual(len(SegmentationFinding.objects()), 2)
SegmentationFinding.create_or_add_to_existing_finding(
# !!! REVERSE ORDER
subnets=[second_segment, third_segment],
status=zero_trust_consts.STATUS_FAILED,
segmentation_event=event)
self.assertEqual(len(SegmentationFinding.objects()), 3)
def test_create_or_add_to_existing(self):
self.fail_if_not_testing_env()
self.clean_finding_db()
test = TEST_MALICIOUS_ACTIVITY_TIMELINE
status = STATUS_VERIFY
events = [Event.create_event("t", "t", EVENT_TYPE_MONKEY_NETWORK)]
self.assertEquals(len(Finding.objects(test=test, status=status)), 0)
AggregateFinding.create_or_add_to_existing(test, status, events)
self.assertEquals(len(Finding.objects(test=test, status=status)), 1)
self.assertEquals(
len(Finding.objects(test=test, status=status)[0].events), 1)
AggregateFinding.create_or_add_to_existing(test, status, events)
self.assertEquals(len(Finding.objects(test=test, status=status)), 1)
self.assertEquals(
len(Finding.objects(test=test, status=status)[0].events), 2)
def test_tunneling_violation(tunnel_telemetry_json):
if tunnel_telemetry_json['data']['proxy'] is not None:
# Monkey is tunneling, create findings
tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(
tunnel_telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
tunnel_telemetry_json['monkey_guid'])
tunneling_events = [
Event.create_event(
title="Tunneling event",
message="Monkey on {hostname} tunneled traffic through {proxy}."
.format(hostname=current_monkey.hostname,
proxy=tunnel_host_ip),
event_type=EVENT_TYPE_MONKEY_NETWORK,
timestamp=tunnel_telemetry_json['timestamp'])
]
AggregateFinding.create_or_add_to_existing(test=TEST_TUNNELING,
status=STATUS_FAILED,
events=tunneling_events)
add_malicious_activity_to_timeline(tunneling_events)
from datetime import datetime
import pytest
from common.common_consts import zero_trust_consts
from monkey_island.cc.models.zero_trust.event import Event
from monkey_island.cc.models.zero_trust.finding import Finding
from monkey_island.cc.models.zero_trust.monkey_finding import MonkeyFinding
from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_service import (
MonkeyZTFindingService, )
EVENTS = [
Event.create_event(
title="Process list",
message="Monkey on gc-pc-244 scanned the process list",
event_type="monkey_local",
timestamp=datetime.strptime("2021-01-19 12:07:17.802138",
"%Y-%m-%d %H:%M:%S.%f"),
),
Event.create_event(
title="Communicate as new user",
message="Monkey on gc-pc-244 couldn't communicate as new user. "
"Details: System error 5 has occurred. Access is denied.",
event_type="monkey_network",
timestamp=datetime.strptime("2021-01-19 12:22:42.246020",
"%Y-%m-%d %H:%M:%S.%f"),
),
]
TESTS = [
zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
from datetime import datetime
import pytest
from common.common_consts import zero_trust_consts
from monkey_island.cc.models.zero_trust.event import Event
from monkey_island.cc.models.zero_trust.finding import Finding
from monkey_island.cc.models.zero_trust.monkey_finding import MonkeyFinding
from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_service import MonkeyZTFindingService
from monkey_island.cc.test_common.fixtures import FixtureEnum
EVENTS = [
Event.create_event(
title='Process list',
message='Monkey on gc-pc-244 scanned the process list',
event_type='monkey_local',
timestamp=datetime.strptime('2021-01-19 12:07:17.802138', '%Y-%m-%d %H:%M:%S.%f')
),
Event.create_event(
title='Communicate as new user',
message='Monkey on gc-pc-244 couldn\'t communicate as new user. '
'Details: System error 5 has occurred. Access is denied.',
event_type='monkey_network',
timestamp=datetime.strptime('2021-01-19 12:22:42.246020', '%Y-%m-%d %H:%M:%S.%f')
)
]
TESTS = [
zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER
]