def list(self) -> list: result = [] fetcher = self.exclude_mongo.find_all({}) for rule in fetcher: rule["_id"] = str(rule["_id"]) rule["add_time"] = datetime_to_utc(rule["add_time"]) rule["update_time"] = datetime_to_utc(rule["update_time"]) result.append(rule) return result
def list(self, activity_id: ObjectId, fields=None) -> list: result = [] fetcher = self.alert_mongo.find_all(query={ "activity_id": activity_id }, fields=fields) for each in fetcher: if "start_time" in each: each["start_time"] = datetime_to_utc(each["start_time"]) if "end_time" in each: each["end_time"] = datetime_to_utc(each["end_time"]) result.append(each) return result
def list_naive(self, invasion_id: ObjectId) -> list: query = {"invasion_id": invasion_id} search = self.activity_mongo.find_all(query) fetcher = search.sort("end_time", -1) result = [] for each in fetcher: each["start_time"] = datetime_to_utc(each["start_time"]) each["end_time"] = datetime_to_utc(each["end_time"]) each["desc_data"] = self._get_desc_data(each["_id"], each["description"]) result.append(each) return result
def list(self, data: dict) -> list: query = {} search = self.invasion_mongo.find_all(query) page = data["page"] start = (page - 1) * 10 fetcher = search.sort("end_time", -1).skip(start).limit(10) result = [] for each in fetcher: each["start_time"] = datetime_to_utc(each["start_time"]) each["end_time"] = datetime_to_utc(each["end_time"]) each["activity_list"] = self.activity.list_naive(each["_id"]) result.append(each) return result
def detail_user_data(self, name): result = {} fields = ["sAMAccountName", "objectSid", "userPrincipalName", "distinguishedName", "servicePrincipalName", "whenCreated", "userAccountControl", "memberOf", "manager", "directReports", "msDS-AllowedToDelegateTo", "cn"] entry = self.ldap.search_by_name(name, attributes=fields) if entry: for key, value in entry.entry_attributes_as_dict.items(): if len(value) == 0: result[key] = None continue elif key == "whenCreated": result[key] = datetime_to_utc(value[0]) elif key == "manager": m = get_cn_from_dn(value[0]) if m: result[key] = self.user_entry_data(m) else: result[key] = "" elif key == "userAccountControl": result[key] = self.uac_parser.parse_security(value[0]) result["is_disabled"] = self.uac_parser.has_one_flag(value[0], "ACCOUNT_DISABLE") elif key == "directReports": result[key] = self._multi_entry_data(value) elif key == "memberOf": result[key] = self._multi_entry_data(value) result["recursive_groups"] = self._get_recursive_groups(value) elif key == "servicePrincipalName" or key == "msDS-AllowedToDelegateTo": result[key] = value elif len(value) == 1: result[key] = value[0] else: result[key] = value return result
def group_entry_data(self, name): result = {"domain": self.domain} fields = ["description", "adminCount", "groupType", "member", "whenCreated", "sAMAccountName", "managedBy", "cn", "objectSid"] entry = self.ldap.search_by_name(name, attributes=fields) if entry: for key, value in entry.entry_attributes_as_dict.items(): if key == "whenCreated" or key == "whenChanged": result[key] = datetime_to_utc(value[0]) elif key == "adminCount": result["is_sensitive"] = self.group_is_sensitive(name, domain=self.domain, admin_count=value) elif key == "groupType": result["scope"], result["type"] = self.group_type_parser.parse(value[0]) elif key == "member": result["member_count"] = len(value) elif key == "objectSid": result["objectSid"] = value[0] elif key == "managedBy": if len(value) > 0: result["managedBy"] = get_cn_from_dn(value[0]) else: result["managedBy"] = "" elif len(value) == 1: result[key] = value[0] else: result[key] = value return result
def computer_entry_data(self, name): result = {} fields = [ "operatingSystem", "operatingSystemServicePack", "operatingSystemVersion", "sAMAccountName", "whenCreated", "cn", "objectSid", "lastLogonTimestamp", "distinguishedName", "adminCount" ] if not name.endswith("$"): name = name + "$" entry = self.ldap.search_by_name(name, attributes=fields) if entry: entry_attributes = entry.entry_attributes_as_dict result["is_sensitive"] = self.computer_is_sensitive( name=entry_attributes["cn"][0], domain=self.domain, admin_count=entry_attributes["adminCount"]) result[ "is_dc"] = True if name[:-1] in main_config.get_dc_name_list( get_netbios_domain(self.domain)) else False for key, value in entry.entry_attributes_as_dict.items(): if key == "whenCreated" or key == "lastLogonTimestamp": result[key] = datetime_to_utc(value[0]) elif len(value) == 1: result[key] = value[0] elif len(value) > 1: result[key] = "、".join(value) else: result[key] = "" return result
def related_list(self, data: dict) -> list: """ 查询实体相关威胁活动记录 """ if data["entry_type"] == "user": user_name = data["entry_name"] alert_query = { "domain": data["domain"], "$or": [{ "form_data.source_user_name": user_name }, { "form_data.target_user_name": user_name }] } elif data["entry_type"] == "computer": computer_name = data["entry_name"] alert_query = { "domain": data["domain"], "$or": [{ "form_data.source_workstation": computer_name }, { "dc_hostname": computer_name }, { "form_data.dc_hostname": computer_name }] } else: return [] activities_ids = self.alert.get_activity_ids_by_query(alert_query) activity_query = {"_id": {"$in": activities_ids}} search = self.activity_mongo.find_all(activity_query) fetcher = search.sort("end_time", -1) result = [] for each in fetcher: each["start_time"] = datetime_to_utc(each["start_time"]) each["end_time"] = datetime_to_utc(each["end_time"]) each["desc_data"] = self._get_desc_data(each["_id"], each["description"]) result.append(each) return result
def list(self, data: dict) -> list: """ 返回威胁活动列表 """ page = data["page"] del data["page"] query = self.get_filter_data(data) search = self.activity_mongo.find_all(query) start = (page - 1) * 10 fetcher = search.sort("end_time", -1).skip(start).limit(10) result = [] for each in fetcher: each["start_time"] = datetime_to_utc(each["start_time"]) each["end_time"] = datetime_to_utc(each["end_time"]) each["desc_data"] = self._get_desc_data(each["_id"], each["description"]) result.append(each) return result
def detail(self, _id) -> dict: activity_id = ObjectId(_id) query = {"_id": activity_id} result = self.activity_mongo.find_one(query) alerts = self.alert.list(activity_id) result["start_time"] = datetime_to_utc(result["start_time"]) result["end_time"] = datetime_to_utc(result["end_time"]) desc_data = self._get_desc_data(result["_id"], result["description"]) result["desc_data"] = desc_data result["alert_list"] = alerts graph_data = self._get_desc_data(result["_id"], result["description"], only_name=True) result["graph"] = graph_map[result["alert_code"]]( graph_data, second_name=result.get("second_name", None)) return result
def detail_computer_data(self, name): result = {} fields = [ "sAMAccountName", "objectSid", "distinguishedName", "whenCreated", "memberOf", "cn", "userAccountControl", "dNSHostName", "servicePrincipalName", "msDS-AllowedToActOnBehalfOfOtherIdentity" ] if not name.endswith("$"): name += "$" entry = self.ldap.search_by_name(name, attributes=fields) if entry: for key, value in entry.entry_attributes_as_dict.items(): if len(value) == 0: result[key] = None continue elif key == "whenCreated": result[key] = datetime_to_utc(value[0]) elif key == "memberOf": result[key] = self._multi_entry_data(value) elif key == "userAccountControl": result[key] = self.uac_parser.parse_security(value[0]) elif key == "msDS-AllowedToActOnBehalfOfOtherIdentity": sd = SR_SECURITY_DESCRIPTOR(value[0]) ace_list = [] for ace in sd["Dacl"].aces: ace_list.append({ "type_name": ace["TypeName"], "sid": ace['Ace']['Sid'].formatCanonical(), "user_name": self.ldap.search_by_sid( sid=ace['Ace']['Sid'].formatCanonical(), attributes=[ "sAMAccountName" ]).entry_attributes_as_dict["sAMAccountName"] [0] }) result[key] = ace_list elif len(value) == 1: result[key] = value[0] else: result[key] = value return result
def user_entry_data(self, name): result = {"domain": self.domain, "name": name} fields = [ "department", "displayName", "mail", "manager", "title", "whenCreated", "sAMAccountName", "objectSid", "description", "employeeNumber", "cn", "userAccountControl", "memberOf", "adminCount" ] entry = self.ldap.search_by_name(name, attributes=fields) if entry: entry_attributes = entry.entry_attributes_as_dict for key, value in entry_attributes.items(): if len(value) == 0: result[key] = "" continue elif key == "adminCount" or key == "memberOf": continue elif key == "whenCreated": result[key] = datetime_to_utc(value[0]) elif key == "manager": m = get_cn_from_dn(value[0]) if m: result[key] = m else: result[key] = "" elif key == "userAccountControl": result["is_disabled"] = self.uac_parser.has_one_flag( value[0], "ACCOUNT_DISABLE") elif key == "objectSid": result["objectSid"] = value[0] result["is_sensitive"] = self.user_is_sensitive( value[0], admin_count=entry_attributes["adminCount"], member_of=entry_attributes["memberOf"]) elif len(value) == 1: result[key] = value[0] elif len(value) > 1: result[key] = "、".join(value) else: result[key] = "" return result
def detail_group_data(self, name): result = {} fields = ["sAMAccountName", "objectSid", "distinguishedName", "whenCreated", "memberOf", "member", "cn"] entry = self.ldap.search_by_name(name, attributes=fields) if entry: for key, value in entry.entry_attributes_as_dict.items(): if len(value) == 0: result[key] = None continue elif key == "whenCreated": result[key] = datetime_to_utc(value[0]) elif key == "member": result[key] = self._multi_entry_data(value) elif key == "memberOf": result[key] = self._multi_entry_data(value) elif len(value) == 1: result[key] = value[0] else: result[key] = value result["userAccountControl"] = self.uac_parser.parse_security(0) return result
def _multi_entry_data(self, entry_list) -> list: result = [] if len(entry_list) == 0: return result condition = [] for entry in entry_list: cn = get_cn_from_dn(entry) cn = escape_ldap_filter(cn) condition.append("(CN={cn})".format(cn=cn)) if len(condition) >= 2: condition = "(|{cond})".format(cond="".join(condition)) else: condition = condition[0] entries = self.ldap.search_by_custom(condition, attributes=["department", "displayName", "mail", "manager", "title", "whenCreated", "sAMAccountName", "objectSid", "description", "employeeNumber", "cn", "adminCount", "userAccountControl", "adminCount", "memberOf", "groupType", "member", "managedBy", "objectClass", "distinguishedName", "operatingSystem", "operatingSystemServicePack", "operatingSystemVersion"]) if not entries: return result for entry in entries: temp = {"domain": self.domain} entry_attributes = entry.entry_attributes_as_dict if "computer" in entry_attributes["objectClass"]: temp["entry_type"] = "computer" temp["is_sensitive"] = self.computer_is_sensitive(name=entry_attributes["cn"][0], domain=self.domain, admin_count=entry_attributes["adminCount"]) elif "group" in entry_attributes["objectClass"]: temp["entry_type"] = "group" temp["is_sensitive"] = self.group_is_sensitive(name=entry_attributes["cn"][0], domain=self.domain, admin_count=entry_attributes["adminCount"]) temp["userAccountControl"] = self.uac_parser.parse_security(0) elif "user" in entry_attributes["objectClass"]: temp["entry_type"] = "user" temp["is_sensitive"] = self.user_is_sensitive(sid=entry_attributes["objectSid"][0], admin_count=entry_attributes["adminCount"], member_of=entry_attributes["memberOf"]) else: continue for key, value in entry_attributes.items(): if len(value) == 0: temp[key] = "" continue elif key == "adminCount" or key == "memberOf": continue elif key == "whenCreated": temp[key] = datetime_to_utc(value[0]) elif key == "manager": m = get_cn_from_dn(value[0]) if m: temp[key] = m else: temp[key] = "" elif key == "userAccountControl": temp["is_disabled"] = self.uac_parser.has_one_flag(value[0], "ACCOUNT_DISABLE") elif key == "groupType": temp["scope"], temp["type"] = self.group_type_parser.parse(value[0]) elif key == "member": temp["member_count"] = len(value) elif key == "managedBy": temp["managedBy"] = get_cn_from_dn(value[0]) elif len(value) == 1: temp[key] = value[0] elif len(value) > 1: temp[key] = "、".join(value) else: temp[key] = "" result.append(temp) return result