async def _create_ability(self, ability_id, tactic, technique_name, technique_id, name, test, description, executor,
platform, cleanup=None, payload=None, parsers=None, requirements=None, privilege=None):
ps = []
for module in parsers:
relation = [Relationship(source=r['source'], edge=r.get('edge'), target=r.get('target')) for r in
parsers[module]]
ps.append(Parser(module=module, relationships=relation))
rs = []
for module in requirements:
relation = [Relationship(source=r['source'], edge=r.get('edge'), target=r.get('target')) for r in
requirements[module]]
rs.append(Requirement(module=module, relationships=relation))
await self.store(Ability(ability_id=ability_id, name=name, test=test, tactic=tactic,
technique_id=technique_id, technique=technique_name,
executor=executor, platform=platform, description=description,
cleanup=cleanup, payload=payload, parsers=ps, requirements=rs, privilege=privilege))
def parse(self, blob):
relationships = []
vm_names = self._get_vm_names(blob)
for name in vm_names:
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source, name),
edge=mp.edge,
target=(mp.target, None)))
return relationships
def parse(self, blob):
relationships = []
for match in self.filename(blob):
for mp in self.mappers:
source = self.set_value(mp.source, match, self.used_facts)
target = self.set_value(mp.target, match, self.used_facts)
relationships.append(
Relationship(source=(mp.source, source),
edge=mp.edge,
target=(mp.target, target)))
return relationships
def parse(self, blob):
relationships = []
for match in self.line(blob):
values = match.split(':')
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source, values[0]),
edge=mp.edge,
target=(mp.target, values[1]))
)
return relationships
def parse(self, blob):
relationships = []
try:
parse_data = self.nbt_parser(blob)
for match in parse_data:
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source, match),
edge=mp.edge,
target=(mp.target, None)))
except Exception:
pass
return relationships
def parse(self, blob):
relationships = []
for match in self.line(blob.lower()):
for uniform_match in [av for av in self.ANTIVIRUS if av in match]:
for mp in self.mappers:
source = self.set_value(mp.source, uniform_match, self.used_facts)
target = self.set_value(mp.target, uniform_match, self.used_facts)
relationships.append(
Relationship(source=(mp.source, source),
edge=mp.edge,
target=(mp.target, target))
)
return relationships
def parse(self, blob):
relationships = []
for match in self.line(blob):
port = self._locate_port(match)
if port:
for mp in self.mappers:
source = self.set_value(mp.source, port, self.used_facts)
target = self.set_value(mp.target, port, self.used_facts)
relationships.append(
Relationship(source=(mp.source, source),
edge=mp.edge,
target=(mp.target, target)))
return relationships
def parse(self, blob):
relationships = []
try:
parse_data = self.gd_parser(blob)
for match in parse_data:
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source, match),
edge=mp.edge,
target=(mp.target, None)))
except Exception as error:
self.log.warning('Get-Domain parser encountered an error - {}. Continuing...'.format(error))
return relationships
def parse(self, blob):
relationships = []
for match in self.line(blob):
if 'The command completed successfully.' in match:
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source, self._get_remote_host(mp.source, self.used_facts)),
edge=mp.edge,
target=(mp.target, None))
)
# we can only have one resulting relationship in this parser type. return immediately
return relationships
return relationships
def _recurse(self, block, relationships, mapper, score=1):
for child in block:
if child.get('children'):
self._recurse(child.get('children'), relationships, mapper, score)
elif child.get('url'):
source = self.set_value(mapper.source, child.get('name'), self.used_facts)
target = self.set_value(mapper.target, child.get('url'), self.used_facts)
if child.get('meta_info', dict()).get('last_visited_desktop'):
if int(child['meta_info']['last_visited_desktop']) > score:
score += 1
relationships.append(Relationship(source=(mapper.source, source),
edge=mapper.edge,
target=(mapper.target, target),
score=score))
def parse(self, blob):
relationships = []
for match in self.line(blob):
if self.ABILITY_SUCCESS_FLAG in match:
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source,
self._get_remote_host(
mp.source, self.used_facts)),
edge=mp.edge,
target=(mp.target, None)))
# we can only have one resulting relationship in this parser type. return immediately
return relationships
return relationships
def parse(self, blob):
relationships = []
for ip in self.ip(blob):
ip_is_valid = self._is_valid_ip(ip)
if ip_is_valid:
for mp in self.mappers:
if 'whitelist' in dir(mp):
ip = self._whitelist_ip(ip, mp.whitelist)
if ip:
source = self.set_value(mp.source, ip, self.used_facts)
target = self.set_value(mp.target, ip, self.used_facts)
relationships.append(
Relationship(source=(mp.source, source),
edge=mp.edge,
target=(mp.target, target))
)
return relationships
def parse(self, blob):
relationships = []
try:
parse_data = self.parse_katz(blob)
for match in parse_data:
if self.parse_mode in match.packages:
hash_pass = re.match(self.hash_check, match.packages[self.parse_mode][0]['Password'])
if not hash_pass:
for mp in self.mappers:
relationships.append(
Relationship(source=(mp.source, match.packages[self.parse_mode][0]['Username']),
edge=mp.edge,
target=(mp.target, match.packages[self.parse_mode][0]['Password']))
)
except Exception as error:
self.log.warning('Mimikatz parser encountered an error - {}. Continuing...'.format(error))
return relationships
def parse(self, blob):
relationships = []
json_output = self._load_json(blob)
if json_output is not None:
for mp in self.mappers:
if 'json_key' not in dir(mp):
self.log.warning(
'JSON Parser not given a json_key, not parsing')
continue
json_type = mp.json_type if 'json_type' in dir(mp) else None
for match in self._get_vals_from_json(json_output, mp.json_key,
json_type):
source = self.set_value(mp.source, match, self.used_facts)
target = self.set_value(mp.target, match, self.used_facts)
relationships.append(
Relationship(source=(mp.source, source),
edge=mp.edge,
target=(mp.target, target)))
return relationships
def from_json(cls, json):
relationships = [
Relationship.from_json(r) for r in json['relationships']
]
return cls(module=json['module'], relationships=relationships)
