def check_tunneling_violation(tunnel_telemetry_json): if tunnel_telemetry_json["data"]["proxy"] is not None: # Monkey is tunneling, create findings tunnel_host_ip = get_tunnel_host_ip_from_proxy_field( tunnel_telemetry_json) current_monkey = Monkey.get_single_monkey_by_guid( tunnel_telemetry_json["monkey_guid"]) tunneling_events = [ Event.create_event( title="Tunneling event", message="Monkey on {hostname} tunneled traffic through {proxy}." .format(hostname=current_monkey.hostname, proxy=tunnel_host_ip), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, timestamp=tunnel_telemetry_json["timestamp"], ) ] MonkeyZTFindingService.create_or_add_to_existing( test=zero_trust_consts.TEST_TUNNELING, status=zero_trust_consts.STATUS_FAILED, events=tunneling_events, ) MonkeyZTFindingService.add_malicious_activity_to_timeline( tunneling_events)
def test_antivirus_existence(process_list_json, monkey_guid): current_monkey = Monkey.get_single_monkey_by_guid(monkey_guid) process_list_event = Event.create_event( title="Process list", message="Monkey on {} scanned the process list".format( current_monkey.hostname), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL) events = [process_list_event] av_processes = filter_av_processes(process_list_json["process_list"]) for process in av_processes: events.append( Event.create_event( title="Found AV process", message= "The process '{}' was recognized as an Anti Virus process. Process " "details: {}".format(process[1]['name'], json.dumps(process[1])), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_LOCAL)) if len(av_processes) > 0: test_status = zero_trust_consts.STATUS_PASSED else: test_status = zero_trust_consts.STATUS_FAILED AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)
def test_dispatch_to_relevant_collector(self): self.fail_if_not_testing_env() self.clean_monkey_db() a_monkey = Monkey(guid=str(uuid.uuid4())) a_monkey.save() dispatcher = SystemInfoTelemetryDispatcher() # JSON with results - make sure functions are called instance_id = "i-0bd2c14bd4c7d703f" telem_json = { "data": { "collectors": { "AwsCollector": { "instance_id": instance_id }, } }, "monkey_guid": a_monkey.guid } dispatcher.dispatch_collector_results_to_relevant_processors( telem_json) self.assertEquals( Monkey.get_single_monkey_by_guid(a_monkey.guid).aws_instance_id, instance_id)
def test_open_data_endpoints(telemetry_json): services = telemetry_json["data"]["machine"]["services"] current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']) found_http_server_status = zero_trust_consts.STATUS_PASSED found_elastic_search_server = zero_trust_consts.STATUS_PASSED events = [ Event.create_event( title="Scan Telemetry", message="Monkey on {} tried to perform a network scan, the target was {}.".format( current_monkey.hostname, telemetry_json["data"]["machine"]["ip_addr"]), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, timestamp=telemetry_json["timestamp"] ) ] for service_name, service_data in list(services.items()): events.append(Event.create_event( title="Scan telemetry analysis", message="Scanned service: {}.".format(service_name), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) if service_name in HTTP_SERVERS_SERVICES_NAMES: found_http_server_status = zero_trust_consts.STATUS_FAILED events.append(Event.create_event( title="Scan telemetry analysis", message="Service {} on {} recognized as an open data endpoint! Service details: {}".format( service_data["display_name"], telemetry_json["data"]["machine"]["ip_addr"], json.dumps(service_data) ), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) if service_name == ES_SERVICE: found_elastic_search_server = zero_trust_consts.STATUS_FAILED events.append(Event.create_event( title="Scan telemetry analysis", message="Service {} on {} recognized as an open data endpoint! Service details: {}".format( service_data["display_name"], telemetry_json["data"]["machine"]["ip_addr"], json.dumps(service_data) ), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK )) AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_DATA_ENDPOINT_HTTP, status=found_http_server_status, events=events ) AggregateFinding.create_or_add_to_existing( test=zero_trust_consts.TEST_DATA_ENDPOINT_ELASTIC, status=found_elastic_search_server, events=events ) add_malicious_activity_to_timeline(events)
def process_scan_telemetry(telemetry_json): update_edges_and_nodes_based_on_scan_telemetry(telemetry_json) test_open_data_endpoints(telemetry_json) current_monkey = Monkey.get_single_monkey_by_guid( telemetry_json['monkey_guid']) target_ip = telemetry_json['data']['machine']['ip_addr'] test_segmentation_violation(current_monkey, target_ip)
def process_scan_telemetry(telemetry_json): update_edges_and_nodes_based_on_scan_telemetry(telemetry_json) check_open_data_endpoints(telemetry_json) current_monkey = Monkey.get_single_monkey_by_guid( telemetry_json["monkey_guid"]) target_ip = telemetry_json["data"]["machine"]["ip_addr"] check_segmentation_violation(current_monkey, target_ip)
def process_exploit_telemetry(telemetry_json): encrypt_exploit_creds(telemetry_json) edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json) update_network_with_exploit(edge, telemetry_json) update_node_credentials_from_successful_attempts(edge, telemetry_json) test_machine_exploited( current_monkey=Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']), exploit_successful=telemetry_json['data']['result'], exploiter=telemetry_json['data']['exploiter'], target_ip=telemetry_json['data']['machine']['ip_addr'], timestamp=telemetry_json['timestamp'])
def process_state_telemetry(telemetry_json): monkey = NodeService.get_monkey_by_guid(telemetry_json['monkey_guid']) NodeService.add_communication_info( monkey, telemetry_json['command_control_channel']) if telemetry_json['data']['done']: NodeService.set_monkey_dead(monkey, True) else: NodeService.set_monkey_dead(monkey, False) if telemetry_json['data']['done']: current_monkey = Monkey.get_single_monkey_by_guid( telemetry_json['monkey_guid']) test_passed_findings_for_unreached_segments(current_monkey)
def process_exploit_telemetry(telemetry_json): encrypt_exploit_creds(telemetry_json) edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json) update_network_with_exploit(edge, telemetry_json) update_node_credentials_from_successful_attempts(edge, telemetry_json) add_exploit_extracted_creds_to_config(telemetry_json) check_machine_exploited( current_monkey=Monkey.get_single_monkey_by_guid( telemetry_json["monkey_guid"]), exploit_successful=telemetry_json["data"]["result"], exploiter=telemetry_json["data"]["exploiter"], target_ip=telemetry_json["data"]["machine"]["ip_addr"], timestamp=telemetry_json["timestamp"], )
def process_state_telemetry(telemetry_json): monkey = NodeService.get_monkey_by_guid(telemetry_json["monkey_guid"]) NodeService.add_communication_info( monkey, telemetry_json["command_control_channel"]) if telemetry_json["data"]["done"]: NodeService.set_monkey_dead(monkey, True) else: NodeService.set_monkey_dead(monkey, False) if telemetry_json["data"]["done"]: current_monkey = Monkey.get_single_monkey_by_guid( telemetry_json["monkey_guid"]) check_passed_findings_for_unreached_segments(current_monkey) if telemetry_json["data"]["version"]: logger.info(f"monkey {telemetry_json['monkey_guid']} has version " f"{telemetry_json['data']['version']}")
def test_process_environment_telemetry(self): # Arrange monkey_guid = str(uuid.uuid4()) a_monkey = Monkey(guid=monkey_guid) a_monkey.save() dispatcher = SystemInfoTelemetryDispatcher() on_premise = "On Premise" telem_json = { "data": { "collectors": { "EnvironmentCollector": {"environment": on_premise}, } }, "monkey_guid": monkey_guid } dispatcher.dispatch_collector_results_to_relevant_processors(telem_json) assert Monkey.get_single_monkey_by_guid(monkey_guid).environment == on_premise
def test_tunneling_violation(tunnel_telemetry_json): if tunnel_telemetry_json['data']['proxy'] is not None: # Monkey is tunneling, create findings tunnel_host_ip = get_tunnel_host_ip_from_proxy_field( tunnel_telemetry_json) current_monkey = Monkey.get_single_monkey_by_guid( tunnel_telemetry_json['monkey_guid']) tunneling_events = [ Event.create_event( title="Tunneling event", message="Monkey on {hostname} tunneled traffic through {proxy}." .format(hostname=current_monkey.hostname, proxy=tunnel_host_ip), event_type=EVENT_TYPE_MONKEY_NETWORK, timestamp=tunnel_telemetry_json['timestamp']) ] AggregateFinding.create_or_add_to_existing(test=TEST_TUNNELING, status=STATUS_FAILED, events=tunneling_events) add_malicious_activity_to_timeline(tunneling_events)
def process_communicate_as_new_user_telemetry(telemetry_json): current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']) message = telemetry_json['data']['result'][0] success = telemetry_json['data']['result'][1] test_new_user_communication(current_monkey, success, message)
def process_communicate_as_backdoor_user_telemetry(telemetry_json): current_monkey = Monkey.get_single_monkey_by_guid( telemetry_json["monkey_guid"]) message = telemetry_json["data"]["result"][0] success = telemetry_json["data"]["result"][1] check_new_user_communication(current_monkey, success, message)
def update_db_with_new_hostname(telemetry_json): Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']).set_hostname(telemetry_json['data']['hostname'])