Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buggy telemetry processing for ATT&CK techniques mapped to the same PBA #1480

Closed
1 task
shreyamalviya opened this issue Sep 22, 2021 · 0 comments · Fixed by #1514
Closed
1 task

Buggy telemetry processing for ATT&CK techniques mapped to the same PBA #1480

shreyamalviya opened this issue Sep 22, 2021 · 0 comments · Fixed by #1514
Assignees
@shreyamalviya
Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island.

Comments

@shreyamalviya
Copy link
Contributor

shreyamalviya commented Sep 22, 2021
edited by mssalvatore
Loading

Some ATT&CK techniques are mapped to the same PBAs. For example, T1053 (Scheduled task) and T1168 (Local job scheduling) are both mapped to the "Job scheduling" PBA. The way our PBA telemetry is processed in

monkey/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py

Line 21 in 380d0ee

def get_pba_query(cls, post_breach_action_names):
causes issues in such cases which in turn leads to a buggy ATT&CK report.

Example (reported by @ilija-lazoroski):
image

  1. There were no Windows machines in the network.
  2. Crontab does not exist on Windows.

Tasks

  • Fix it! (0.75d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shreyamalviya shreyamalviya

Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island.
Projects
None yet
Milestone
No milestone
1 participant
@shreyamalviya