def list(self) -> list:
result = []
fetcher = self.exclude_mongo.find_all({})
for rule in fetcher:
rule["_id"] = str(rule["_id"])
rule["add_time"] = datetime_to_utc(rule["add_time"])
rule["update_time"] = datetime_to_utc(rule["update_time"])
result.append(rule)
return result
def list(self, activity_id: ObjectId, fields=None) -> list:
result = []
fetcher = self.alert_mongo.find_all(query={
"activity_id": activity_id
}, fields=fields)
for each in fetcher:
if "start_time" in each:
each["start_time"] = datetime_to_utc(each["start_time"])
if "end_time" in each:
each["end_time"] = datetime_to_utc(each["end_time"])
result.append(each)
return result
def list_naive(self, invasion_id: ObjectId) -> list:
query = {"invasion_id": invasion_id}
search = self.activity_mongo.find_all(query)
fetcher = search.sort("end_time", -1)
result = []
for each in fetcher:
each["start_time"] = datetime_to_utc(each["start_time"])
each["end_time"] = datetime_to_utc(each["end_time"])
each["desc_data"] = self._get_desc_data(each["_id"],
each["description"])
result.append(each)
return result
def list(self, data: dict) -> list:
query = {}
search = self.invasion_mongo.find_all(query)
page = data["page"]
start = (page - 1) * 10
fetcher = search.sort("end_time", -1).skip(start).limit(10)
result = []
for each in fetcher:
each["start_time"] = datetime_to_utc(each["start_time"])
each["end_time"] = datetime_to_utc(each["end_time"])
each["activity_list"] = self.activity.list_naive(each["_id"])
result.append(each)
return result
def detail_user_data(self, name):
result = {}
fields = ["sAMAccountName", "objectSid", "userPrincipalName", "distinguishedName", "servicePrincipalName",
"whenCreated", "userAccountControl", "memberOf", "manager", "directReports",
"msDS-AllowedToDelegateTo", "cn"]
entry = self.ldap.search_by_name(name, attributes=fields)
if entry:
for key, value in entry.entry_attributes_as_dict.items():
if len(value) == 0:
result[key] = None
continue
elif key == "whenCreated":
result[key] = datetime_to_utc(value[0])
elif key == "manager":
m = get_cn_from_dn(value[0])
if m:
result[key] = self.user_entry_data(m)
else:
result[key] = ""
elif key == "userAccountControl":
result[key] = self.uac_parser.parse_security(value[0])
result["is_disabled"] = self.uac_parser.has_one_flag(value[0], "ACCOUNT_DISABLE")
elif key == "directReports":
result[key] = self._multi_entry_data(value)
elif key == "memberOf":
result[key] = self._multi_entry_data(value)
result["recursive_groups"] = self._get_recursive_groups(value)
elif key == "servicePrincipalName" or key == "msDS-AllowedToDelegateTo":
result[key] = value
elif len(value) == 1:
result[key] = value[0]
else:
result[key] = value
return result
def group_entry_data(self, name):
result = {"domain": self.domain}
fields = ["description", "adminCount", "groupType", "member", "whenCreated", "sAMAccountName", "managedBy",
"cn", "objectSid"]
entry = self.ldap.search_by_name(name, attributes=fields)
if entry:
for key, value in entry.entry_attributes_as_dict.items():
if key == "whenCreated" or key == "whenChanged":
result[key] = datetime_to_utc(value[0])
elif key == "adminCount":
result["is_sensitive"] = self.group_is_sensitive(name, domain=self.domain, admin_count=value)
elif key == "groupType":
result["scope"], result["type"] = self.group_type_parser.parse(value[0])
elif key == "member":
result["member_count"] = len(value)
elif key == "objectSid":
result["objectSid"] = value[0]
elif key == "managedBy":
if len(value) > 0:
result["managedBy"] = get_cn_from_dn(value[0])
else:
result["managedBy"] = ""
elif len(value) == 1:
result[key] = value[0]
else:
result[key] = value
return result
def computer_entry_data(self, name):
result = {}
fields = [
"operatingSystem", "operatingSystemServicePack",
"operatingSystemVersion", "sAMAccountName", "whenCreated", "cn",
"objectSid", "lastLogonTimestamp", "distinguishedName",
"adminCount"
]
if not name.endswith("$"):
name = name + "$"
entry = self.ldap.search_by_name(name, attributes=fields)
if entry:
entry_attributes = entry.entry_attributes_as_dict
result["is_sensitive"] = self.computer_is_sensitive(
name=entry_attributes["cn"][0],
domain=self.domain,
admin_count=entry_attributes["adminCount"])
result[
"is_dc"] = True if name[:-1] in main_config.get_dc_name_list(
get_netbios_domain(self.domain)) else False
for key, value in entry.entry_attributes_as_dict.items():
if key == "whenCreated" or key == "lastLogonTimestamp":
result[key] = datetime_to_utc(value[0])
elif len(value) == 1:
result[key] = value[0]
elif len(value) > 1:
result[key] = "、".join(value)
else:
result[key] = ""
return result
def related_list(self, data: dict) -> list:
"""
查询实体相关威胁活动记录
"""
if data["entry_type"] == "user":
user_name = data["entry_name"]
alert_query = {
"domain":
data["domain"],
"$or": [{
"form_data.source_user_name": user_name
}, {
"form_data.target_user_name": user_name
}]
}
elif data["entry_type"] == "computer":
computer_name = data["entry_name"]
alert_query = {
"domain":
data["domain"],
"$or": [{
"form_data.source_workstation": computer_name
}, {
"dc_hostname": computer_name
}, {
"form_data.dc_hostname": computer_name
}]
}
else:
return []
activities_ids = self.alert.get_activity_ids_by_query(alert_query)
activity_query = {"_id": {"$in": activities_ids}}
search = self.activity_mongo.find_all(activity_query)
fetcher = search.sort("end_time", -1)
result = []
for each in fetcher:
each["start_time"] = datetime_to_utc(each["start_time"])
each["end_time"] = datetime_to_utc(each["end_time"])
each["desc_data"] = self._get_desc_data(each["_id"],
each["description"])
result.append(each)
return result
def list(self, data: dict) -> list:
"""
返回威胁活动列表
"""
page = data["page"]
del data["page"]
query = self.get_filter_data(data)
search = self.activity_mongo.find_all(query)
start = (page - 1) * 10
fetcher = search.sort("end_time", -1).skip(start).limit(10)
result = []
for each in fetcher:
each["start_time"] = datetime_to_utc(each["start_time"])
each["end_time"] = datetime_to_utc(each["end_time"])
each["desc_data"] = self._get_desc_data(each["_id"],
each["description"])
result.append(each)
return result
def detail(self, _id) -> dict:
activity_id = ObjectId(_id)
query = {"_id": activity_id}
result = self.activity_mongo.find_one(query)
alerts = self.alert.list(activity_id)
result["start_time"] = datetime_to_utc(result["start_time"])
result["end_time"] = datetime_to_utc(result["end_time"])
desc_data = self._get_desc_data(result["_id"], result["description"])
result["desc_data"] = desc_data
result["alert_list"] = alerts
graph_data = self._get_desc_data(result["_id"],
result["description"],
only_name=True)
result["graph"] = graph_map[result["alert_code"]](
graph_data, second_name=result.get("second_name", None))
return result
def detail_computer_data(self, name):
result = {}
fields = [
"sAMAccountName", "objectSid", "distinguishedName", "whenCreated",
"memberOf", "cn", "userAccountControl", "dNSHostName",
"servicePrincipalName", "msDS-AllowedToActOnBehalfOfOtherIdentity"
]
if not name.endswith("$"):
name += "$"
entry = self.ldap.search_by_name(name, attributes=fields)
if entry:
for key, value in entry.entry_attributes_as_dict.items():
if len(value) == 0:
result[key] = None
continue
elif key == "whenCreated":
result[key] = datetime_to_utc(value[0])
elif key == "memberOf":
result[key] = self._multi_entry_data(value)
elif key == "userAccountControl":
result[key] = self.uac_parser.parse_security(value[0])
elif key == "msDS-AllowedToActOnBehalfOfOtherIdentity":
sd = SR_SECURITY_DESCRIPTOR(value[0])
ace_list = []
for ace in sd["Dacl"].aces:
ace_list.append({
"type_name":
ace["TypeName"],
"sid":
ace['Ace']['Sid'].formatCanonical(),
"user_name":
self.ldap.search_by_sid(
sid=ace['Ace']['Sid'].formatCanonical(),
attributes=[
"sAMAccountName"
]).entry_attributes_as_dict["sAMAccountName"]
[0]
})
result[key] = ace_list
elif len(value) == 1:
result[key] = value[0]
else:
result[key] = value
return result
def user_entry_data(self, name):
result = {"domain": self.domain, "name": name}
fields = [
"department", "displayName", "mail", "manager", "title",
"whenCreated", "sAMAccountName", "objectSid", "description",
"employeeNumber", "cn", "userAccountControl", "memberOf",
"adminCount"
]
entry = self.ldap.search_by_name(name, attributes=fields)
if entry:
entry_attributes = entry.entry_attributes_as_dict
for key, value in entry_attributes.items():
if len(value) == 0:
result[key] = ""
continue
elif key == "adminCount" or key == "memberOf":
continue
elif key == "whenCreated":
result[key] = datetime_to_utc(value[0])
elif key == "manager":
m = get_cn_from_dn(value[0])
if m:
result[key] = m
else:
result[key] = ""
elif key == "userAccountControl":
result["is_disabled"] = self.uac_parser.has_one_flag(
value[0], "ACCOUNT_DISABLE")
elif key == "objectSid":
result["objectSid"] = value[0]
result["is_sensitive"] = self.user_is_sensitive(
value[0],
admin_count=entry_attributes["adminCount"],
member_of=entry_attributes["memberOf"])
elif len(value) == 1:
result[key] = value[0]
elif len(value) > 1:
result[key] = "、".join(value)
else:
result[key] = ""
return result
def detail_group_data(self, name):
result = {}
fields = ["sAMAccountName", "objectSid", "distinguishedName", "whenCreated", "memberOf", "member", "cn"]
entry = self.ldap.search_by_name(name, attributes=fields)
if entry:
for key, value in entry.entry_attributes_as_dict.items():
if len(value) == 0:
result[key] = None
continue
elif key == "whenCreated":
result[key] = datetime_to_utc(value[0])
elif key == "member":
result[key] = self._multi_entry_data(value)
elif key == "memberOf":
result[key] = self._multi_entry_data(value)
elif len(value) == 1:
result[key] = value[0]
else:
result[key] = value
result["userAccountControl"] = self.uac_parser.parse_security(0)
return result
def _multi_entry_data(self, entry_list) -> list:
result = []
if len(entry_list) == 0:
return result
condition = []
for entry in entry_list:
cn = get_cn_from_dn(entry)
cn = escape_ldap_filter(cn)
condition.append("(CN={cn})".format(cn=cn))
if len(condition) >= 2:
condition = "(|{cond})".format(cond="".join(condition))
else:
condition = condition[0]
entries = self.ldap.search_by_custom(condition, attributes=["department", "displayName", "mail", "manager",
"title", "whenCreated", "sAMAccountName", "objectSid",
"description", "employeeNumber", "cn", "adminCount",
"userAccountControl", "adminCount", "memberOf",
"groupType", "member", "managedBy", "objectClass",
"distinguishedName", "operatingSystem",
"operatingSystemServicePack",
"operatingSystemVersion"])
if not entries:
return result
for entry in entries:
temp = {"domain": self.domain}
entry_attributes = entry.entry_attributes_as_dict
if "computer" in entry_attributes["objectClass"]:
temp["entry_type"] = "computer"
temp["is_sensitive"] = self.computer_is_sensitive(name=entry_attributes["cn"][0],
domain=self.domain,
admin_count=entry_attributes["adminCount"])
elif "group" in entry_attributes["objectClass"]:
temp["entry_type"] = "group"
temp["is_sensitive"] = self.group_is_sensitive(name=entry_attributes["cn"][0],
domain=self.domain,
admin_count=entry_attributes["adminCount"])
temp["userAccountControl"] = self.uac_parser.parse_security(0)
elif "user" in entry_attributes["objectClass"]:
temp["entry_type"] = "user"
temp["is_sensitive"] = self.user_is_sensitive(sid=entry_attributes["objectSid"][0],
admin_count=entry_attributes["adminCount"],
member_of=entry_attributes["memberOf"])
else:
continue
for key, value in entry_attributes.items():
if len(value) == 0:
temp[key] = ""
continue
elif key == "adminCount" or key == "memberOf":
continue
elif key == "whenCreated":
temp[key] = datetime_to_utc(value[0])
elif key == "manager":
m = get_cn_from_dn(value[0])
if m:
temp[key] = m
else:
temp[key] = ""
elif key == "userAccountControl":
temp["is_disabled"] = self.uac_parser.has_one_flag(value[0], "ACCOUNT_DISABLE")
elif key == "groupType":
temp["scope"], temp["type"] = self.group_type_parser.parse(value[0])
elif key == "member":
temp["member_count"] = len(value)
elif key == "managedBy":
temp["managedBy"] = get_cn_from_dn(value[0])
elif len(value) == 1:
temp[key] = value[0]
elif len(value) > 1:
temp[key] = "、".join(value)
else:
temp[key] = ""
result.append(temp)
return result