def check_tunneling_violation(tunnel_telemetry_json):
if tunnel_telemetry_json["data"]["proxy"] is not None:
# Monkey is tunneling, create findings
tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(
tunnel_telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
tunnel_telemetry_json["monkey_guid"])
tunneling_events = [
Event.create_event(
title="Tunneling event",
message="Monkey on {hostname} tunneled traffic through {proxy}."
.format(hostname=current_monkey.hostname,
proxy=tunnel_host_ip),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=tunnel_telemetry_json["timestamp"],
)
]
MonkeyZTFindingService.create_or_add_to_existing(
test=zero_trust_consts.TEST_TUNNELING,
status=zero_trust_consts.STATUS_FAILED,
events=tunneling_events,
)
MonkeyZTFindingService.add_malicious_activity_to_timeline(
tunneling_events)
def test_antivirus_existence(process_list_json, monkey_guid):
current_monkey = Monkey.get_single_monkey_by_guid(monkey_guid)
process_list_event = Event.create_event(
title="Process list",
message="Monkey on {} scanned the process list".format(
current_monkey.hostname),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL)
events = [process_list_event]
av_processes = filter_av_processes(process_list_json["process_list"])
for process in av_processes:
events.append(
Event.create_event(
title="Found AV process",
message=
"The process '{}' was recognized as an Anti Virus process. Process "
"details: {}".format(process[1]['name'],
json.dumps(process[1])),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL))
if len(av_processes) > 0:
test_status = zero_trust_consts.STATUS_PASSED
else:
test_status = zero_trust_consts.STATUS_FAILED
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
status=test_status,
events=events)
def test_dispatch_to_relevant_collector(self):
self.fail_if_not_testing_env()
self.clean_monkey_db()
a_monkey = Monkey(guid=str(uuid.uuid4()))
a_monkey.save()
dispatcher = SystemInfoTelemetryDispatcher()
# JSON with results - make sure functions are called
instance_id = "i-0bd2c14bd4c7d703f"
telem_json = {
"data": {
"collectors": {
"AwsCollector": {
"instance_id": instance_id
},
}
},
"monkey_guid": a_monkey.guid
}
dispatcher.dispatch_collector_results_to_relevant_processors(
telem_json)
self.assertEquals(
Monkey.get_single_monkey_by_guid(a_monkey.guid).aws_instance_id,
instance_id)
def test_open_data_endpoints(telemetry_json):
services = telemetry_json["data"]["machine"]["services"]
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
found_http_server_status = zero_trust_consts.STATUS_PASSED
found_elastic_search_server = zero_trust_consts.STATUS_PASSED
events = [
Event.create_event(
title="Scan Telemetry",
message="Monkey on {} tried to perform a network scan, the target was {}.".format(
current_monkey.hostname,
telemetry_json["data"]["machine"]["ip_addr"]),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
timestamp=telemetry_json["timestamp"]
)
]
for service_name, service_data in list(services.items()):
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Scanned service: {}.".format(service_name),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
if service_name in HTTP_SERVERS_SERVICES_NAMES:
found_http_server_status = zero_trust_consts.STATUS_FAILED
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
service_data["display_name"],
telemetry_json["data"]["machine"]["ip_addr"],
json.dumps(service_data)
),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
if service_name == ES_SERVICE:
found_elastic_search_server = zero_trust_consts.STATUS_FAILED
events.append(Event.create_event(
title="Scan telemetry analysis",
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
service_data["display_name"],
telemetry_json["data"]["machine"]["ip_addr"],
json.dumps(service_data)
),
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK
))
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP,
status=found_http_server_status,
events=events
)
AggregateFinding.create_or_add_to_existing(
test=zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC,
status=found_elastic_search_server,
events=events
)
add_malicious_activity_to_timeline(events)
def process_scan_telemetry(telemetry_json):
update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
test_open_data_endpoints(telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
telemetry_json['monkey_guid'])
target_ip = telemetry_json['data']['machine']['ip_addr']
test_segmentation_violation(current_monkey, target_ip)
def process_scan_telemetry(telemetry_json):
update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
check_open_data_endpoints(telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
telemetry_json["monkey_guid"])
target_ip = telemetry_json["data"]["machine"]["ip_addr"]
check_segmentation_violation(current_monkey, target_ip)
def process_exploit_telemetry(telemetry_json):
encrypt_exploit_creds(telemetry_json)
edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
update_network_with_exploit(edge, telemetry_json)
update_node_credentials_from_successful_attempts(edge, telemetry_json)
test_machine_exploited(
current_monkey=Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']),
exploit_successful=telemetry_json['data']['result'],
exploiter=telemetry_json['data']['exploiter'],
target_ip=telemetry_json['data']['machine']['ip_addr'],
timestamp=telemetry_json['timestamp'])
def process_state_telemetry(telemetry_json):
monkey = NodeService.get_monkey_by_guid(telemetry_json['monkey_guid'])
NodeService.add_communication_info(
monkey, telemetry_json['command_control_channel'])
if telemetry_json['data']['done']:
NodeService.set_monkey_dead(monkey, True)
else:
NodeService.set_monkey_dead(monkey, False)
if telemetry_json['data']['done']:
current_monkey = Monkey.get_single_monkey_by_guid(
telemetry_json['monkey_guid'])
test_passed_findings_for_unreached_segments(current_monkey)
def process_exploit_telemetry(telemetry_json):
encrypt_exploit_creds(telemetry_json)
edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
update_network_with_exploit(edge, telemetry_json)
update_node_credentials_from_successful_attempts(edge, telemetry_json)
add_exploit_extracted_creds_to_config(telemetry_json)
check_machine_exploited(
current_monkey=Monkey.get_single_monkey_by_guid(
telemetry_json["monkey_guid"]),
exploit_successful=telemetry_json["data"]["result"],
exploiter=telemetry_json["data"]["exploiter"],
target_ip=telemetry_json["data"]["machine"]["ip_addr"],
timestamp=telemetry_json["timestamp"],
)
def process_state_telemetry(telemetry_json):
monkey = NodeService.get_monkey_by_guid(telemetry_json["monkey_guid"])
NodeService.add_communication_info(
monkey, telemetry_json["command_control_channel"])
if telemetry_json["data"]["done"]:
NodeService.set_monkey_dead(monkey, True)
else:
NodeService.set_monkey_dead(monkey, False)
if telemetry_json["data"]["done"]:
current_monkey = Monkey.get_single_monkey_by_guid(
telemetry_json["monkey_guid"])
check_passed_findings_for_unreached_segments(current_monkey)
if telemetry_json["data"]["version"]:
logger.info(f"monkey {telemetry_json['monkey_guid']} has version "
f"{telemetry_json['data']['version']}")
def test_process_environment_telemetry(self):
# Arrange
monkey_guid = str(uuid.uuid4())
a_monkey = Monkey(guid=monkey_guid)
a_monkey.save()
dispatcher = SystemInfoTelemetryDispatcher()
on_premise = "On Premise"
telem_json = {
"data": {
"collectors": {
"EnvironmentCollector": {"environment": on_premise},
}
},
"monkey_guid": monkey_guid
}
dispatcher.dispatch_collector_results_to_relevant_processors(telem_json)
assert Monkey.get_single_monkey_by_guid(monkey_guid).environment == on_premise
def test_tunneling_violation(tunnel_telemetry_json):
if tunnel_telemetry_json['data']['proxy'] is not None:
# Monkey is tunneling, create findings
tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(
tunnel_telemetry_json)
current_monkey = Monkey.get_single_monkey_by_guid(
tunnel_telemetry_json['monkey_guid'])
tunneling_events = [
Event.create_event(
title="Tunneling event",
message="Monkey on {hostname} tunneled traffic through {proxy}."
.format(hostname=current_monkey.hostname,
proxy=tunnel_host_ip),
event_type=EVENT_TYPE_MONKEY_NETWORK,
timestamp=tunnel_telemetry_json['timestamp'])
]
AggregateFinding.create_or_add_to_existing(test=TEST_TUNNELING,
status=STATUS_FAILED,
events=tunneling_events)
add_malicious_activity_to_timeline(tunneling_events)
def process_communicate_as_new_user_telemetry(telemetry_json):
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
message = telemetry_json['data']['result'][0]
success = telemetry_json['data']['result'][1]
test_new_user_communication(current_monkey, success, message)
def process_communicate_as_backdoor_user_telemetry(telemetry_json):
current_monkey = Monkey.get_single_monkey_by_guid(
telemetry_json["monkey_guid"])
message = telemetry_json["data"]["result"][0]
success = telemetry_json["data"]["result"][1]
check_new_user_communication(current_monkey, success, message)
def update_db_with_new_hostname(telemetry_json):
Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']).set_hostname(telemetry_json['data']['hostname'])
