def test_antivirus_existence(process_list_json, monkey_guid): current_monkey = Monkey.get_single_monkey_by_guid(monkey_guid) process_list_event = Event.create_event( title="Process list", message="Monkey on {} scanned the process list".format( current_monkey.hostname), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL) events = [process_list_event] av_processes = filter_av_processes(process_list_json["process_list"]) for process in av_processes: events.append( Event.create_event( title="Found AV process", message= "The process '{}' was recognized as an Anti Virus process. Process " "details: {}".format(process[1]['name'], json.dumps(process[1])), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL)) if len(av_processes) > 0: test_status = zero_trust_consts.STATUS_PASSED else: test_status = zero_trust_consts.STATUS_FAILED AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)
def test_machine_exploited(current_monkey, exploit_successful, exploiter, target_ip, timestamp): events = [ Event.create_event( title="Exploit attempt", message="Monkey on {} attempted to exploit {} using {}.".format( current_monkey.hostname, target_ip, exploiter), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, timestamp=timestamp ) ] status = zero_trust_consts.STATUS_PASSED if exploit_successful: events.append( Event.create_event( title="Exploit success!", message="Monkey on {} successfully exploited {} using {}.".format( current_monkey.hostname, target_ip, exploiter), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, timestamp=timestamp) ) status = zero_trust_consts.STATUS_FAILED AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_MACHINE_EXPLOITED, status=status, events=events ) add_malicious_activity_to_timeline(events)
def test_open_data_endpoints(telemetry_json): services = telemetry_json["data"]["machine"]["services"] current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']) found_http_server_status = zero_trust_consts.STATUS_PASSED found_elastic_search_server = zero_trust_consts.STATUS_PASSED events = [ Event.create_event( title="Scan Telemetry", message="Monkey on {} tried to perform a network scan, the target was {}.".format( current_monkey.hostname, telemetry_json["data"]["machine"]["ip_addr"]), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, timestamp=telemetry_json["timestamp"] ) ] for service_name, service_data in list(services.items()): events.append(Event.create_event( title="Scan telemetry analysis", message="Scanned service: {}.".format(service_name), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) if service_name in HTTP_SERVERS_SERVICES_NAMES: found_http_server_status = zero_trust_consts.STATUS_FAILED events.append(Event.create_event( title="Scan telemetry analysis", message="Service {} on {} recognized as an open data endpoint! Service details: {}".format( service_data["display_name"], telemetry_json["data"]["machine"]["ip_addr"], json.dumps(service_data) ), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) if service_name == ES_SERVICE: found_elastic_search_server = zero_trust_consts.STATUS_FAILED events.append(Event.create_event( title="Scan telemetry analysis", message="Service {} on {} recognized as an open data endpoint! Service details: {}".format( service_data["display_name"], telemetry_json["data"]["machine"]["ip_addr"], json.dumps(service_data) ), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP, status=found_http_server_status, events=events ) AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC, status=found_elastic_search_server, events=events ) add_malicious_activity_to_timeline(events)
def check_tunneling_violation(tunnel_telemetry_json): if tunnel_telemetry_json["data"]["proxy"] is not None: # Monkey is tunneling, create findings tunnel_host_ip = get_tunnel_host_ip_from_proxy_field( tunnel_telemetry_json) current_monkey = Monkey.get_single_monkey_by_guid( tunnel_telemetry_json["monkey_guid"]) tunneling_events = [ Event.create_event( title="Tunneling event", message="Monkey on {hostname} tunneled traffic through {proxy}." .format(hostname=current_monkey.hostname, proxy=tunnel_host_ip), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, timestamp=tunnel_telemetry_json["timestamp"], ) ] MonkeyZTFindingService.create_or_add_to_existing( test=zero_trust_consts.TEST_TUNNELING, status=zero_trust_consts.STATUS_FAILED, events=tunneling_events, ) MonkeyZTFindingService.add_malicious_activity_to_timeline( tunneling_events)
def test_create_findings_for_all_done_pairs(self): self.fail_if_not_testing_env() self.clean_finding_db() all_subnets = [FIRST_SUBNET, SECOND_SUBNET, THIRD_SUBNET] monkey = Monkey(guid=str(uuid.uuid4()), ip_addresses=[FIRST_SUBNET]) # no findings self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 0) # This is like the monkey is done and sent done telem create_or_add_findings_for_all_pairs(all_subnets, monkey) # There are 2 subnets in which the monkey is NOT self.assertEquals( len(Finding.objects(test=TEST_SEGMENTATION, status=STATUS_PASSED)), 2) # This is a monkey from 2nd subnet communicated with 1st subnet. SegmentationFinding.create_or_add_to_existing_finding( [FIRST_SUBNET, SECOND_SUBNET], STATUS_FAILED, Event.create_event(title="sdf", message="asd", event_type=EVENT_TYPE_MONKEY_NETWORK)) self.assertEquals( len(Finding.objects(test=TEST_SEGMENTATION, status=STATUS_PASSED)), 1) self.assertEquals( len(Finding.objects(test=TEST_SEGMENTATION, status=STATUS_FAILED)), 1) self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 2)
def test_save_finding_sanity(self): assert len( Finding.objects(test=zero_trust_consts.TEST_SEGMENTATION)) == 0 event_example = Event.create_event( title="Event Title", message="event message", event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, ) monkey_details_example = MonkeyFindingDetails() monkey_details_example.events.append(event_example) monkey_details_example.save() MonkeyFinding.save_finding( test=zero_trust_consts.TEST_SEGMENTATION, status=zero_trust_consts.STATUS_FAILED, detail_ref=monkey_details_example, ) assert len( MonkeyFinding.objects( test=zero_trust_consts.TEST_SEGMENTATION)) == 1 assert len( MonkeyFinding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1 assert len( Finding.objects(status=zero_trust_consts.STATUS_FAILED)) == 1
def test_create_or_add_to_existing_2_tests_already_exist(self): self.fail_if_not_testing_env() self.clean_finding_db() test = zero_trust_consts.TEST_MALICIOUS_ACTIVITY_TIMELINE status = zero_trust_consts.STATUS_VERIFY event = Event.create_event("t", "t", zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK) events = [event] self.assertEqual(len(Finding.objects(test=test, status=status)), 0) Finding.save_finding(test, status, events) self.assertEqual(len(Finding.objects(test=test, status=status)), 1) self.assertEqual( len(Finding.objects(test=test, status=status)[0].events), 1) AggregateFinding.create_or_add_to_existing(test, status, events) self.assertEqual(len(Finding.objects(test=test, status=status)), 1) self.assertEqual( len(Finding.objects(test=test, status=status)[0].events), 2) Finding.save_finding(test, status, events) self.assertEqual(len(Finding.objects(test=test, status=status)), 2) with self.assertRaises(AssertionError): AggregateFinding.create_or_add_to_existing(test, status, events)
def get_segmentation_done_event(current_monkey, subnet_pair): return Event.create_event(title="Segmentation test done", message=SEGMENTATION_DONE_EVENT_TEXT.format( hostname=current_monkey.hostname, src_seg=subnet_pair[0], dst_seg=subnet_pair[1]), event_type=EVENT_TYPE_MONKEY_NETWORK)
def get_result_event(current_monkey, message, success): message_format = COMM_AS_NEW_USER_SUCCEEDED_FORMAT if success else COMM_AS_NEW_USER_FAILED_FORMAT return Event.create_event( title="Communicate as new user", message=message_format.format(current_monkey.hostname, message), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
def get_attempt_event(current_monkey): tried_to_communicate_event = Event.create_event( title="Communicate as new user", message= "Monkey on {} tried to create a new user and communicate from it.". format(current_monkey.hostname), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK) return tried_to_communicate_event
def test_create_event(self): with pytest.raises(ValidationError): _ = Event.create_event( title=None, # title required message="bla bla", event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK) with pytest.raises(ValidationError): _ = Event.create_event( title="skjs", message="bla bla", event_type="Unknown" # Unknown event type ) # Assert that nothing is raised. _ = Event.create_event( title="skjs", message="bla bla", event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
def test_save_finding_sanity(self): self.fail_if_not_testing_env() self.clean_finding_db() self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 0) event_example = Event.create_event( title="Event Title", message="event message", event_type=EVENT_TYPE_MONKEY_NETWORK) Finding.save_finding(test=TEST_SEGMENTATION, status=STATUS_FAILED, events=[event_example]) self.assertEquals(len(Finding.objects(test=TEST_SEGMENTATION)), 1) self.assertEquals(len(Finding.objects(status=STATUS_FAILED)), 1)
def test_create_event(self): self.fail_if_not_testing_env() self.clean_finding_db() with self.assertRaises(ValidationError): _ = Event.create_event( title=None, # title required message="bla bla", event_type=EVENT_TYPE_MONKEY_NETWORK) with self.assertRaises(ValidationError): _ = Event.create_event( title="skjs", message="bla bla", event_type="Unknown" # Unknown event type ) # Assert that nothing is raised. _ = Event.create_event(title="skjs", message="bla bla", event_type=EVENT_TYPE_MONKEY_NETWORK)
def get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet): return Event.create_event( title="Segmentation event", message=SEGMENTATION_VIOLATION_EVENT_TEXT.format( hostname=current_monkey.hostname, source_ip=get_ip_if_in_subnet( current_monkey.ip_addresses, NetworkRange.get_range_obj(source_subnet)), source_seg=source_subnet, target_ip=target_ip, target_seg=target_subnet), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK)
def test_create_or_add_to_existing_finding(self): self.fail_if_not_testing_env() self.clean_finding_db() first_segment = "1.1.1.0/24" second_segment = "2.2.2.0-2.2.2.254" third_segment = "3.3.3.3" event = Event.create_event("bla", "bla", zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK) SegmentationFinding.create_or_add_to_existing_finding( subnets=[first_segment, second_segment], status=zero_trust_consts.STATUS_FAILED, segmentation_event=event) self.assertEqual(len(SegmentationFinding.objects()), 1) self.assertEqual(len(SegmentationFinding.objects()[0].events), 1) SegmentationFinding.create_or_add_to_existing_finding( # !!! REVERSE ORDER subnets=[second_segment, first_segment], status=zero_trust_consts.STATUS_FAILED, segmentation_event=event) self.assertEqual(len(SegmentationFinding.objects()), 1) self.assertEqual(len(SegmentationFinding.objects()[0].events), 2) SegmentationFinding.create_or_add_to_existing_finding( # !!! REVERSE ORDER subnets=[first_segment, third_segment], status=zero_trust_consts.STATUS_FAILED, segmentation_event=event) self.assertEqual(len(SegmentationFinding.objects()), 2) SegmentationFinding.create_or_add_to_existing_finding( # !!! REVERSE ORDER subnets=[second_segment, third_segment], status=zero_trust_consts.STATUS_FAILED, segmentation_event=event) self.assertEqual(len(SegmentationFinding.objects()), 3)
def test_create_or_add_to_existing(self): self.fail_if_not_testing_env() self.clean_finding_db() test = TEST_MALICIOUS_ACTIVITY_TIMELINE status = STATUS_VERIFY events = [Event.create_event("t", "t", EVENT_TYPE_MONKEY_NETWORK)] self.assertEquals(len(Finding.objects(test=test, status=status)), 0) AggregateFinding.create_or_add_to_existing(test, status, events) self.assertEquals(len(Finding.objects(test=test, status=status)), 1) self.assertEquals( len(Finding.objects(test=test, status=status)[0].events), 1) AggregateFinding.create_or_add_to_existing(test, status, events) self.assertEquals(len(Finding.objects(test=test, status=status)), 1) self.assertEquals( len(Finding.objects(test=test, status=status)[0].events), 2)
def test_tunneling_violation(tunnel_telemetry_json): if tunnel_telemetry_json['data']['proxy'] is not None: # Monkey is tunneling, create findings tunnel_host_ip = get_tunnel_host_ip_from_proxy_field( tunnel_telemetry_json) current_monkey = Monkey.get_single_monkey_by_guid( tunnel_telemetry_json['monkey_guid']) tunneling_events = [ Event.create_event( title="Tunneling event", message="Monkey on {hostname} tunneled traffic through {proxy}." .format(hostname=current_monkey.hostname, proxy=tunnel_host_ip), event_type=EVENT_TYPE_MONKEY_NETWORK, timestamp=tunnel_telemetry_json['timestamp']) ] AggregateFinding.create_or_add_to_existing(test=TEST_TUNNELING, status=STATUS_FAILED, events=tunneling_events) add_malicious_activity_to_timeline(tunneling_events)
from datetime import datetime import pytest from common.common_consts import zero_trust_consts from monkey_island.cc.models.zero_trust.event import Event from monkey_island.cc.models.zero_trust.finding import Finding from monkey_island.cc.models.zero_trust.monkey_finding import MonkeyFinding from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_service import ( MonkeyZTFindingService, ) EVENTS = [ Event.create_event( title="Process list", message="Monkey on gc-pc-244 scanned the process list", event_type="monkey_local", timestamp=datetime.strptime("2021-01-19 12:07:17.802138", "%Y-%m-%d %H:%M:%S.%f"), ), Event.create_event( title="Communicate as new user", message="Monkey on gc-pc-244 couldn't communicate as new user. " "Details: System error 5 has occurred. Access is denied.", event_type="monkey_network", timestamp=datetime.strptime("2021-01-19 12:22:42.246020", "%Y-%m-%d %H:%M:%S.%f"), ), ] TESTS = [ zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
from datetime import datetime import pytest from common.common_consts import zero_trust_consts from monkey_island.cc.models.zero_trust.event import Event from monkey_island.cc.models.zero_trust.finding import Finding from monkey_island.cc.models.zero_trust.monkey_finding import MonkeyFinding from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_service import MonkeyZTFindingService from monkey_island.cc.test_common.fixtures import FixtureEnum EVENTS = [ Event.create_event( title='Process list', message='Monkey on gc-pc-244 scanned the process list', event_type='monkey_local', timestamp=datetime.strptime('2021-01-19 12:07:17.802138', '%Y-%m-%d %H:%M:%S.%f') ), Event.create_event( title='Communicate as new user', message='Monkey on gc-pc-244 couldn\'t communicate as new user. ' 'Details: System error 5 has occurred. Access is denied.', event_type='monkey_network', timestamp=datetime.strptime('2021-01-19 12:22:42.246020', '%Y-%m-%d %H:%M:%S.%f') ) ] TESTS = [ zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS, zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER ]