Merge branch 'main' into datatables2

nccgroup · Aug 16, 2024 · 6227bdd · 6227bdd
2 parents f0ea1a7 + d8bc18e
commit 6227bdd
Show file tree

Hide file tree

Showing 9 changed files with 63 additions and 10 deletions.
diff --git a/event_tracker/migrations/0080_importedevent_raw_evidence.py b/event_tracker/migrations/0080_importedevent_raw_evidence.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.0.7 on 2024-07-26 10:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('event_tracker', '0079_alter_credential_hash_type'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='importedevent',
+            name='raw_evidence',
+            field=models.CharField(blank=True, max_length=5000, null=True),
+        ),
+    ]
diff --git a/event_tracker/models.py b/event_tracker/models.py
@@ -146,6 +146,7 @@ class ImportedEvent(models.Model):
     target_user = models.CharField(max_length=100)
     target_host = models.CharField(max_length=100)
     description = models.CharField(max_length=1000)
+    raw_evidence = models.CharField(max_length=5000, blank=True, null=True)
     outcome = models.CharField(max_length=1000, blank=True, null=True)
     mitre_tactic = models.CharField(null=True, max_length=6)
     mitre_technique = models.CharField(null=True, max_length=9)

diff --git a/event_tracker/static/eventstream/doc-generation.txt b/event_tracker/static/eventstream/doc-generation.txt
@@ -1,6 +1,7 @@
 npm install -g bootprint
 npm install -g bootprint-json-schema
 cd \temp
+' Copy eventstream.schema.json into \temp
 bootprint json-schema eventstream.schema.json .
 
 Open index.html in browser

diff --git a/event_tracker/static/eventstream/eventstream-example.json b/event_tracker/static/eventstream/eventstream-example.json
@@ -1,2 +1,2 @@
 {"ts": "2024-04-01T17:02:01", "t": {"u": "victim", "h": "192.168.5.8"}, "d": "Dumped browser passwords"}
-{"ts": "2024-04-01T17:03:01", "te": "2024-04-01T17:06:20", "s": {"h": "attacker.example.com", "p": "spray.exe"}, "t": {"h": "192.168.5.6"}, "d": "Password sprayed Welcome123"}
+{"ts": "2024-04-01T17:03:01", "te": "2024-04-01T17:06:20", "s": {"h": "attacker.example.com", "p": "spray.exe"}, "t": {"h": "192.168.5.6"}, "d": "Password sprayed Welcome123", "e":  "spray.exe -u users.txt -p Welcome123 -t https://192.168.5.6/login.php", "ma":  {"ta": "TA0006", "t": "T1110.003"}}
diff --git a/event_tracker/static/eventstream/eventstream.schema.json b/event_tracker/static/eventstream/eventstream.schema.json
@@ -85,13 +85,19 @@
     },
     "d": {
       "type": "string",
-      "description": "Description of the event",
+      "description": "Description of the event in human-readable terms.",
       "minLength": 1,
       "maxLength": 1000
     },
+    "e": {
+      "type": "string",
+      "description": "Evidence captured for the event in its rawest form, e.g. command I/O or HTTP request/response.",
+      "minLength": 1,
+      "maxLength": 5000
+    },
     "o": {
       "type": "string",
-      "description": "Outcome of the event",
+      "description": "Outcome of the event in human-readable terms.",
       "minLength": 1,
       "maxLength": 1000
     },

diff --git a/event_tracker/static/eventstream/schema-doc.html b/event_tracker/static/eventstream/schema-doc.html
@@ -212,7 +212,24 @@ <h3 class="panel-title">Stepping Stones Event Stream</h3>
                                             <span class="json-property-required"></span>
                                     </dt>
                                     <dd>
-                                        <p>Description of the event</p>
+                                        <p>Description of the event in human-readable terms.</p>
+
+                                        <div class="json-inner-schema">
+
+                                        </div>
+                                    </dd>
+                                    <dt data-property-name="e">
+                                        <span class="json-property-name">e:</span>
+
+                                        <span class="json-property-type">string</span>
+                                        <span class="json-property-range" title="Value limits"></span>
+
+                                            <span class="json-property-range" title="String length limits">
+                                                    (1 to 5000 chars)
+                                            </span>
+                                    </dt>
+                                    <dd>
+                                        <p>Evidence captured for the event in its rawest form, e.g. command I/O or HTTP request/response.</p>
 
                                         <div class="json-inner-schema">
 
@@ -229,7 +246,7 @@ <h3 class="panel-title">Stepping Stones Event Stream</h3>
                                             </span>
                                     </dt>
                                     <dd>
-                                        <p>Outcome of the event</p>
+                                        <p>Outcome of the event in human-readable terms.</p>
 
                                         <div class="json-inner-schema">
 

diff --git a/event_tracker/views.py b/event_tracker/views.py
@@ -57,7 +57,7 @@
 from .plugins import EventReportingPluginPoint
 from .signals import cs_beacon_to_context, cs_beaconlog_to_file, notify_webhook_new_beacon, cs_listener_to_context, \
     get_driver_for
-from .templatetags.custom_tags import render_ts_local
+from .templatetags.custom_tags import render_ts_local, breakonpunctuation
 
 
 @permission_required('event_tracker.view_task')
@@ -1014,6 +1014,11 @@ def render_column(self, row, column):
         elif column == 'target':
             dummy_context = Context(host=row.target_host, user=row.target_user, process=row.target_process)
             return dummy_context.get_visible_html()
+        elif column == 'description':
+            description = row.description
+            if row.raw_evidence:
+                description += f'<pre class="mt-3 mb-0"><code>{ breakonpunctuation(escape(row.raw_evidence)) }</code></pre>'
+            return description
         elif column == 'additional_data' and row.additional_data:
             additional_data_dict = json.loads(row.additional_data)
             escaped_dict = {}
@@ -1165,6 +1170,10 @@ def add_single_eventstream(self, lines_to_parse):
                     }
                     imported_event_dict["timestamp"] = parse_datetime(eventstream_dict.pop("ts"))
                     imported_event_dict["description"] = eventstream_dict.pop("d")
+
+                    if "e" in eventstream_dict:
+                        imported_event_dict["raw_evidence"] = eventstream_dict.pop("e")
+
                     if "te" in eventstream_dict:
                         imported_event_dict["timestamp_end"] = parse_datetime(eventstream_dict.pop("te"))
 
@@ -1264,7 +1273,8 @@ def get_initial(self):
             "mitre_attack_tactic": tactic,
             "mitre_attack_technique": technique,
             "mitre_attack_subtechnique": subtechnique,
-            "raw_evidence": imported_event.description,
+            "description": imported_event.description,
+            "raw_evidence": imported_event.raw_evidence,
             "outcome": imported_event.outcome,
         }
 

diff --git a/event_tracker/views_credentials.py b/event_tracker/views_credentials.py
@@ -1,3 +1,4 @@
+import contextlib
 import csv
 import io
 import itertools
@@ -201,8 +202,7 @@ def get_accounts_with_oldest_passwords(enabled, system):
         for server in BloodhoundServer.objects.filter(active=True).all():
             if driver := get_driver_for(server):
                 with driver.session() as session:
-                    with contextlib.suppress(
-                            ClientError):  # Likely caused by no accounts being enabled for this system
+                    with contextlib.suppress(ClientError):  # Likely caused by no accounts being enabled for this system
                         old_passwords = session.execute_read(CredentialStatsView._oldest_password_ages, system,
                                                              enabled)
                         # TODO merge multiple old_passwords from different servers, rather than overwriting

diff --git a/pstranscript2eventstream.py b/pstranscript2eventstream.py
@@ -9,7 +9,7 @@
 # Or always log with a registry mod: https://adamtheautomator.com/powershell-logging-2/#How_to_Turn_on_Transcripts_with_the_Registry
 
 def dump_to_json(eventstream_file, timestamp, user, host, command, output):
-    eventstream_file.write(json.dumps({"ts": timestamp.isoformat(), "s": {"u": user, "h": host}, "d": command, "output": output.lstrip("\n")}))
+    eventstream_file.write(json.dumps({"ts": timestamp.isoformat(), "s": {"u": user, "h": host}, "e": command, "output": output.lstrip("\n")}))
     eventstream_file.write("\n")
 
 def main(transcript_file, eventstream_file):