-
Notifications
You must be signed in to change notification settings - Fork 3
/
atomicredteam_connector.py
374 lines (299 loc) · 17.9 KB
/
atomicredteam_connector.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
# File: atomicredteam_connector.py
# Copyright(c) 2018 Splunk Inc.
#
# SPLUNK CONFIDENTIAL - Use or disclosure of this material in whole or in part
# without a valid written license from Splunk Inc. is PROHIBITED.
# -----------------------------------------
# Phantom sample App Connector python file
# -----------------------------------------
# Phantom App imports
import phantom.app as phantom
from phantom.base_connector import BaseConnector
from phantom.action_result import ActionResult
from phantom.vault import Vault
# Usage of the consts file is recommended
# from atomicredteam_consts import *
import requests
import json
import git
from git import Repo
import os
import yaml
import ast
import shutil
class RetVal(tuple):
def __new__(cls, val1, val2=None):
return tuple.__new__(RetVal, (val1, val2))
class AtomicRedTeamConnector(BaseConnector):
def __init__(self):
# Call the BaseConnectors init first
super(AtomicRedTeamConnector, self).__init__()
self._state = None
# self._atomic_dir = '/opt/phantom/tmp/atomic_repo'
def _handle_test_connectivity(self, param):
# Add an action result object to self (BaseConnector) to represent the action for this param
action_result = self.add_action_result(ActionResult(dict(param)))
self.save_progress("Cloning or updating Atomic Red Team repository...")
if os.path.exists(self._atomic_dir):
try:
atomic_repo = Repo(self._atomic_dir)
if not atomic_repo.bare:
self.save_progress("Found existing repo. Updating from source...")
atomic_repo.remotes.origin.pull()
self.save_progress("Repo updated successfully")
return action_result.set_status(phantom.APP_SUCCESS)
else:
self.save_progress("Found existing repo, but it was bare. Cloning again...")
atomic_repo.clone_from(self._base_url, self._atomic_dir)
self.save_progress("Repo updated successfully")
return action_result.set_status(phantom.APP_SUCCESS)
except git.exc.InvalidGitRepositoryError:
self.save_progress("Found existing directory, but invalid repo. Cloning again...")
atomic_repo = Repo.clone_from(self._base_url, self._atomic_dir)
self.save_progress("Repo updated successfully")
return action_result.set_status(phantom.APP_SUCCESS)
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error updating the existing atomic repo. Details: {0}".format(str(e)))
else:
try:
self.save_progress("No repo found. Creating...")
os.mkdir(self._atomic_dir)
atomic_repo = Repo.clone_from(self._base_url, self._atomic_dir)
self.save_progress("Repo created successfully")
return action_result.set_status(phantom.APP_SUCCESS)
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error creating new atomic repo. Details: {0}".format(str(e)))
def _handle_format_command(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
# Add an action result object to self (BaseConnector) to represent the action for this param
action_result = self.add_action_result(ActionResult(dict(param)))
attack_id = param['attack_id']
supported_os = param['supported_os']
input_args = param.get('input_arguments', '')
for sub_dir, dirs, files in os.walk(os.path.join(self._atomic_dir, 'atomics')):
if attack_id in sub_dir:
for each in files:
if '.yaml' in each:
f = open(sub_dir + '/' + each, 'r')
try:
yaml_data = yaml.load(f)
for each_test in yaml_data['atomic_tests']:
formatted_test = {'attack_technique': yaml_data['attack_technique']}
if supported_os in each_test['supported_platforms']:
if 'input_arguments' not in each_test:
if each_test['executor'].get('cleanup_command') is not None:
formatted_test['executor'] = {'command': each_test['executor']['command'], 'cleanup_command': each_test['executor']['cleanup_command'], 'name': each_test['executor']['name'], 'arg_types': 'None'} # noqa
else:
formatted_test['executor'] = {'command': each_test['executor']['command'], 'name': each_test['executor']['name'], 'arg_types': 'None'}
action_result.add_data(formatted_test)
continue
if input_args == '':
try:
input_arguments = each_test['input_arguments']
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error using default arguments: ".format(str(e)))
else:
try:
input_arguments = ast.literal_eval(input_args)
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error evaluating argument list as JSON: ".format(str(e)))
executor = each_test['executor']['command']
arg_types = []
for k, v in input_arguments.iteritems():
var_sub = '#{' + k + '}'
if input_args == '':
executor = executor.replace(var_sub, v['default'])
arg_types.append(v['type'])
else:
executor = executor.replace(var_sub, v)
if each_test['executor'].get('cleanup_command') is not None:
cleanup = each_test['executor']['cleanup_command']
arg_types = []
for k, v in input_arguments.iteritems():
var_sub = '#{' + k + '}'
if input_args == '':
cleanup = cleanup.replace(var_sub, v['default'])
arg_types.append(v['type'])
else:
cleanup = cleanup.replace(var_sub, v)
if each_test['executor'].get('cleanup_command') is not None:
formatted_test['executor'] = {'command': executor, 'cleanup_command': cleanup, 'name': each_test['executor']['name'], 'arg_types': arg_types} # noqa
else:
formatted_test['executor'] = {'command': executor, 'name': each_test['executor']['name'], 'arg_types': arg_types}
action_result.add_data(formatted_test)
except yaml.YAMLError as e:
pass
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error adding YAML data to results: ".format(str(e)))
# return action_result.set_status(phantom.APP_ERROR, "Error parsing YAML file:".format(str(e)))
# Add a dictionary that is made up of the most important values from data into the summary
summary = action_result.update_summary({})
summary['total tests'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)
def _handle_get_module(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
# Add an action result object to self (BaseConnector) to represent the action for this param
action_result = self.add_action_result(ActionResult(dict(param)))
attack_id = param['attack_id']
for sub_dir, dirs, files in os.walk(self._atomic_dir + '/atomics'):
if attack_id in sub_dir:
for each in files:
if '.yaml' in each:
f = open(sub_dir + '/' + each, 'r')
try:
yaml_data = yaml.load(f)
for each_test in yaml_data['atomic_tests']:
each_test['attack_technique'] = yaml_data['attack_technique']
action_result.add_data(each_test)
except yaml.YAMLError as e:
pass
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error adding YAML data to results: ".format(str(e)))
# return action_result.set_status(phantom.APP_ERROR, "Error parsing YAML file:".format(str(e)))
# Add a dictionary that is made up of the most important values from data into the summary
summary = action_result.update_summary({})
summary['total tests'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)
def _handle_list_modules(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
# Add an action result object to self (BaseConnector) to represent the action for this param
action_result = self.add_action_result(ActionResult(dict(param)))
for sub_dir, dirs, files in os.walk(self._atomic_dir + '/atomics'):
for each in files:
if '.yaml' in each:
f = open(sub_dir + '/' + each, 'r')
try:
yaml_data = yaml.load(f)
action_result.add_data(yaml_data)
except yaml.YAMLError as e:
pass
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error adding YAML data to results: ".format(str(e)))
# Add a dictionary that is made up of the most important values from data into the summary
summary = action_result.update_summary({})
summary['total techniques'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)
def _handle_get_payload(self, param):
# Implement the handler here
# use self.save_progress(...) to send progress messages back to the platform
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
# Add an action result object to self (BaseConnector) to represent the action for this param
action_result = self.add_action_result(ActionResult(dict(param)))
file_name_to_get = param.get('file_name', None)
get_all = param['get_all']
attack_id = param['attack_id']
for sub_dir, dirs, files in os.walk(self._atomic_dir + '/atomics'):
if attack_id in sub_dir:
for each in files:
old_path = sub_dir + '/src/'
new_path = '/opt/phantom/vault/tmp/'
if 'yaml' in each and file_name_to_get is not None:
try:
for local_dir, src_dirs, payload_names in os.walk(old_path):
for each_payload in payload_names:
if each_payload == file_name_to_get:
shutil.copy2(local_dir + '/' + file_name_to_get, new_path)
vault_results = Vault.add_attachment(new_path + file_name_to_get, self.get_container_id(), file_name=file_name_to_get)
vault_results['file_name'] = file_name_to_get
vault_results['file_path'] = local_dir + '/' + file_name_to_get
action_result.add_data(vault_results)
self.save_progress("Vault_results: " + str(vault_results))
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error finding file and attaching to vault: ".format(str(e)))
if 'yaml' in each and get_all:
try:
for local_dir, src_dirs, payload_names in os.walk(old_path):
for each_payload in payload_names:
shutil.copy2(local_dir + '/' + each_payload, new_path)
vault_results = Vault.add_attachment(new_path + each_payload, self.get_container_id(), file_name=each_payload)
vault_results['file_path'] = local_dir + '/' + each_payload
vault_results['file_name'] = each_payload
action_result.add_data(vault_results)
self.save_progress("Vault_results: " + str(vault_results))
except Exception as e:
return action_result.set_status(phantom.APP_ERROR, "Error copying all files in src directory".format(str(e)))
# Add a dictionary that is made up of the most important values from data into the summary
summary = action_result.update_summary({})
summary['total payloads'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)
def handle_action(self, param):
ret_val = phantom.APP_SUCCESS
# Get the action that we are supposed to execute for this App Run
action_id = self.get_action_identifier()
self.debug_print("action_id", self.get_action_identifier())
if action_id == 'test_connectivity':
ret_val = self._handle_test_connectivity(param)
elif action_id == 'get_module':
ret_val = self._handle_get_module(param)
elif action_id == 'format_command':
ret_val = self._handle_format_command(param)
elif action_id == 'list_modules':
ret_val = self._handle_list_modules(param)
elif action_id == 'update_repo':
ret_val = self._handle_test_connectivity(param)
elif action_id == 'get_payload':
ret_val = self._handle_get_payload(param)
return ret_val
def initialize(self):
self._state = self.load_state()
# get the asset config
config = self.get_config()
self._base_url = config.get('base_url', 'https://github.com/redcanaryco/atomic-red-team.git')
self._atomic_dir = os.path.join(self.get_state_dir(), 'atomic_repo')
return phantom.APP_SUCCESS
def finalize(self):
# Save the state, this data is saved accross actions and app upgrades
self.save_state(self._state)
return phantom.APP_SUCCESS
if __name__ == '__main__':
import pudb
import argparse
pudb.set_trace()
argparser = argparse.ArgumentParser()
argparser.add_argument('input_test_json', help='Input Test JSON file')
argparser.add_argument('-u', '--username', help='username', required=False)
argparser.add_argument('-p', '--password', help='password', required=False)
args = argparser.parse_args()
session_id = None
username = args.username
password = args.password
if (username is not None and password is None):
# User specified a username but not a password, so ask
import getpass
password = getpass.getpass("Password: ")
if (username and password):
try:
print ("Accessing the Login page")
r = requests.get("https://127.0.0.1/login", verify=False)
csrftoken = r.cookies['csrftoken']
data = dict()
data['username'] = username
data['password'] = password
data['csrfmiddlewaretoken'] = csrftoken
headers = dict()
headers['Cookie'] = 'csrftoken=' + csrftoken
headers['Referer'] = 'https://127.0.0.1/login'
print ("Logging into Platform to get the session id")
r2 = requests.post("https://127.0.0.1/login", verify=False, data=data, headers=headers)
session_id = r2.cookies['sessionid']
except Exception as e:
print ("Unable to get session id from the platfrom. Error: " + str(e))
exit(1)
with open(args.input_test_json) as f:
in_json = f.read()
in_json = json.loads(in_json)
print(json.dumps(in_json, indent=4))
connector = AtomicRedTeamConnector()
connector.print_progress_message = True
if (session_id is not None):
in_json['user_session_token'] = session_id
connector._set_csrf_info(csrftoken, headers['Referer'])
ret_val = connector._handle_action(json.dumps(in_json), None)
print (json.dumps(json.loads(ret_val), indent=4))
exit(0)