[client] feat(SCV): add domains management on contract creations (#4266)

Author: gabriel-peze

pyoaev/contracts/contract_config.py

@@ -119,6 +119,13 @@ class ContractConfig:
     color_dark: str
     color_light: str
 
+@dataclass
+class Domain:
+    domain_id: str
+    domain_name: str
+    domain_color: str
+    domain_created_at: str
+    domain_updated_at: str
 
 @dataclass
 class Contract:
@@ -141,6 +148,7 @@ class Contract:
     is_atomic_testing: bool = True
     platforms: List[str] = field(default_factory=list)
     external_id: str = None
+    domains: List[Domain] = None
 
     def add_attack_pattern(self, var: str):
         self.contract_attack_patterns_external_ids.append(var)
@@ -163,6 +171,7 @@ def to_contract_add_input(self, source_id: str):
             "contract_content": json.dumps(self, cls=utils.EnhancedJSONEncoder),
             "is_atomic_testing": self.is_atomic_testing,
             "contract_platforms": self.platforms,
+            "contract_domains": self.domains,
         }
 
     def to_contract_update_input(self):
@@ -174,6 +183,7 @@ def to_contract_update_input(self):
             "contract_content": json.dumps(self, cls=utils.EnhancedJSONEncoder),
             "is_atomic_testing": self.is_atomic_testing,
             "contract_platforms": self.platforms,
+            "contract_domains": self.domains,
         }
 
 
@@ -203,6 +213,7 @@ def prepare_contracts(contracts):
                 "contract_attack_patterns_external_ids": c.contract_attack_patterns_external_ids,
                 "contract_content": json.dumps(c, cls=utils.EnhancedJSONEncoder),
                 "contract_platforms": c.platforms,
+                "contract_domains": c.domains,
             },
             contracts,
         )

pyoaev/security_domain/__init__.py

@@ -0,0 +1,30 @@
+from pyoaev.security_domain.types import SecurityDomainsKeyWords, SecurityDomains
+
+class SecurityDomainBuilder:
+
+    def _find_in_keywords(self, keywords, search):
+        return any(keyword.lower() in search.lower() for keyword in keywords.value)
+
+    # Define the domain by item
+    def get_associated_security_domains(self, name, description):
+        domains = []
+
+        if self._find_in_keywords(SecurityDomainsKeyWords.ENDPOINT, name) or self._find_in_keywords(SecurityDomainsKeyWords.ENDPOINT, description):
+            domains.append(SecurityDomains.ENDPOINT.value)
+        if self._find_in_keywords(SecurityDomainsKeyWords.NETWORK, name) or self._find_in_keywords(SecurityDomainsKeyWords.NETWORK, description):
+            domains.append(SecurityDomains.NETWORK.value)
+        if self._find_in_keywords(SecurityDomainsKeyWords.WEB_APP, name) or self._find_in_keywords(SecurityDomainsKeyWords.WEB_APP, description):
+            domains.append(SecurityDomains.WEB_APP.value)
+        if self._find_in_keywords(SecurityDomainsKeyWords.EMAIL_INFILTRATION, name) or self._find_in_keywords(SecurityDomainsKeyWords.EMAIL_INFILTRATION, description):
+            domains.append(SecurityDomains.EMAIL_INFILTRATION.value)
+        if self._find_in_keywords(SecurityDomainsKeyWords.DATA_EXFILTRATION, name) or self._find_in_keywords(SecurityDomainsKeyWords.DATA_EXFILTRATION, description):
+            domains.append(SecurityDomains.DATA_EXFILTRATION.value)
+        if self._find_in_keywords(SecurityDomainsKeyWords.URL_FILTERING, name) or self._find_in_keywords(SecurityDomainsKeyWords.URL_FILTERING, description):
+            domains.append(SecurityDomains.URL_FILTERING.value)
+        if self._find_in_keywords(SecurityDomainsKeyWords.CLOUD, name) or self._find_in_keywords(SecurityDomainsKeyWords.CLOUD, description):
+            domains.append(SecurityDomains.CLOUD.value)
+
+        if 0 == len(domains):
+            domains.append(SecurityDomains.ENDPOINT.value)
+
+        return domains

pyoaev/security_domain/builder.py

@@ -0,0 +1,21 @@
+from enum import Enum
+
+class SecurityDomainsKeyWords(Enum):
+    ENDPOINT = ["lsass", "registry", "dll injection", "kernel", "winlogon", "scheduled task", "wmi", "powershell", "process injection", "privilege escalation", "credential dumping", "rootkit", "startup folder", "service", "bits jobs", "removable media", "hardware additions", "browser extension", "firmware", "bootkit", "master boot record", "clipboard", "screen capture", "audio capture", "video capture", "disk wipe", "ransomware", "debugger evasion", "sandbox evasion", "trusted developer", "xsl script", "reflective code", "access token", "system binary proxy", "local"]
+    NETWORK = ["lateral movement", "packet sniff", "port scan", "man-in-the-middle", "arp spoof", "smb", "rdp", "dns tunnel", "network share", "c2", "beacon", "proxy", "firewall", "tcp", "domain controller", "kerberos", "golden ticket", "silver ticket", "domain trust", "active directory", "ldap", "ldap", "netbios", "network boundary", "bgp hijack", "bgp hijack", "dns hijack", "dhcp poison", "forced authentication", "remote service", "network device", "vlan hopping", "protocol tunnel", "traffic signaling", "weaken encryption", "exploitation remote", "network"]
+    WEB_APP = ["web shell", "csrf", "file upload vulnerability", "apache", "nginx", "iis", "php", "javascript", "rest api", "http", "cookie", "server-side request forgery", "ssrf", "xml external entity", "xxe", "deserialization", "path traversal", "local file inclusion", "remote file inclusion", "template injection", "ssti", "api abuse", "drive-by compromise", "browser exploit", "forge web credential", "web service", "defacement", "server software component", "reverse proxy", "cgi", "webdav", "session hijack", "web server"]
+    EMAIL_INFILTRATION = ["spearphishing attachment", "spearphishing link", "phishing", "malicious attachment", "email account", "outlook", "exchange", "smtp", "mail server", "macro", "spoofing", "social engineering", "inbox rule", "dkim", "business email compromise", "bec", "email forwarding rule", "email delegation", "oauth consent", "reply-to manipulation", "email thread hijack", "internal spearphishing", "email collection", "zimbra", "mail client", "mapi", "email template", "spoof sender", "dmarc", "spf", "email gateway", "office document", "pdf attachment", "link shortener", "attachment"]
+    DATA_EXFILTRATION = ["exfiltrat", "data staging", "data compressed", "steganography", "covert channel", "database dump", "automated collection", "sensitive data", "intellectual property", "data transfer", "steal", "archive", "cloud storage exfil", "ftp exfil", "physical medium", "air gap", "qr code", "scheduled transfer", "size limit", "chunk data", "alternate protocol", "icmp tunnel", "dns exfiltration", "automated exfiltration", "web service exfil", "pastebin", "code repository", "cloud account transfer", "email exfil", "data destruction", "data encrypted", "base64", "hex encode", "image steganography", "upload"]
+    URL_FILTERING = ["domain fronting", "url shorten", "typosquatting", "typosquatting", "homograph", "punycode", "url reputation", "content filter", "web gateway", "safe browsing", "url categorization", "blacklist bypass", "whitelist", "redirect", "proxy bypass", "dns over https", "doh", "dns over tls", "dot", "unicode domain", "url encode", "double encode", "open redirect", "referrer spoof", "user agent spoof", "captive portal", "proxy pac", "socks proxy", "tor", "vpn bypass", "domain generation", "fast flux", "url confusion", "subdomain takeover", "url"]
+    CLOUD = ["aws", "azure", "gcp", "lambda", "s3 bucket", "blob storage", "kubernetes", "docker", "serverless", "cloud instance", "iam role", "iam role", "saas", "tenant", "subscription", "api gateway", "microservice", "container", "cloud trail", "cloudtrail", "cloud formation", "terraform", "cloud init", "metadata service", "instance metadata", "cloud api", "resource policy", "cloud dashboard", "unused region", "snapshot", "cloud backup", "object storage", "cloud function", "service principal", "managed identity", "cloud key", "sas token", "assume role", "virtual machine"]
+
+class SecurityDomains(Enum):
+    ENDPOINT = { "domain_name": "Endpoint", "domain_color": "#389CFF" }
+    NETWORK = { "domain_name": "Network", "domain_color": "#009933" }
+    WEB_APP = { "domain_name": "Web App", "domain_color": "#FF9933" }
+    EMAIL_INFILTRATION = { "domain_name": "E-mail Infiltration", "domain_color": "#FF6666" }
+    DATA_EXFILTRATION = { "domain_name": "Data Exfiltration", "domain_color": "#9933CC" }
+    URL_FILTERING = { "domain_name": "Url Filtering", "domain_color": "#66CCFF" }
+    CLOUD = { "domain_name": "Cloud", "domain_color": "#9999CC" }
+    TABLE_TOP = { "domain_name": "Table Top", "domain_color": "#FFCC33" }
+    UNCLASSIFIED = { "domain_name": "Unclassified", "domain_color": "#969696" }