Skip to content

Buggy telemetry processing for ATT&CK techniques mapped to the same PBA #1480

New issue
New issue
Closed
#1514
Closed
Buggy telemetry processing for ATT&CK techniques mapped to the same PBA#1480
#1514
Assignees
shreyamalviya
Labels
BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.
@shreyamalviya

Description

@shreyamalviya
shreyamalviya
opened on Sep 22, 2021

Some ATT&CK techniques are mapped to the same PBAs. For example, T1053 (Scheduled task) and T1168 (Local job scheduling) are both mapped to the "Job scheduling" PBA. The way our PBA telemetry is processed in

monkey/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py

Line 21 in 380d0ee

def get_pba_query(cls, post_breach_action_names):
causes issues in such cases which in turn leads to a buggy ATT&CK report.

Example (reported by @ilija-lazoroski):
image

  1. There were no Windows machines in the network.
  2. Crontab does not exist on Windows.

Tasks

  • Fix it! (0.75d)

Metadata

Metadata

Assignees

Labels

BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions