2023-09-11 16:15:03 +01:00
.. only :: comment
2025-01-02 15:05:06 +00:00
© Crown-owned copyright 2025, Defence Science and Technology Laboratory UK
2023-09-11 16:15:03 +01:00
2024-02-23 16:49:01 +00:00
.. _DataManipulationBot:
2023-09-11 16:15:03 +01:00
DataManipulationBot
2024-02-23 16:49:01 +00:00
###################
2023-09-11 16:15:03 +01:00
2024-02-23 16:49:01 +00:00
The `` DataManipulationBot `` class provides functionality to connect to a :ref: `DatabaseService` and execute malicious SQL statements.
2023-09-11 16:15:03 +01:00
Overview
2024-02-23 16:49:01 +00:00
========
2023-09-11 16:15:03 +01:00
The bot is intended to simulate a malicious actor carrying out attacks like:
- Dropping tables
- Deleting records
- Modifying data
2024-02-23 08:55:32 +00:00
2023-11-24 15:17:08 +00:00
on a database server by abusing an application's trusted database connectivity.
2023-09-11 16:15:03 +01:00
2023-11-24 10:05:36 +00:00
The bot performs attacks in the following stages to simulate the real pattern of an attack:
2023-11-24 15:15:24 +00:00
- Logon - *The bot gains credentials and accesses the node.*
2023-11-24 10:05:36 +00:00
- Port Scan - *The bot finds accessible database servers on the network.*
- Attacking - *The bot delivers the payload to the discovered database servers.*
2023-11-24 15:15:24 +00:00
Each of these stages has a random, configurable probability of succeeding (by default 10%). The bot can also be configured to repeat the attack once complete.
2023-11-24 10:05:36 +00:00
2023-09-11 16:15:03 +01:00
Usage
2024-02-23 16:49:01 +00:00
=====
2023-09-11 16:15:03 +01:00
- Create an instance and call `` configure `` to set:
2023-11-24 10:05:36 +00:00
- Target database server IP
- Database password (if needed)
- SQL statement payload
- Probabilities for succeeding each of the above attack stages
2023-09-11 16:15:03 +01:00
- Call `` run `` to connect and execute the statement.
The bot handles connecting, executing the statement, and disconnecting.
2023-11-24 15:15:24 +00:00
In a simulation, the bot can be controlled by using `` DataManipulationAgent `` which calls `` run `` on the bot at configured timesteps.
2024-02-23 16:49:01 +00:00
Implementation
==============
2024-03-03 11:47:50 +00:00
The bot connects to a :ref: `DatabaseClient` and leverages its connectivity. The host running `` DataManipulationBot `` must also have a :ref: `DatabaseClient` installed on it.
2024-02-23 16:49:01 +00:00
- Uses the Application base class for lifecycle management.
- Credentials, target IP and other options set via `` configure `` .
- `` run `` handles connecting, executing statement, and disconnecting.
- SQL payload executed via `` query `` method.
- Results in malicious SQL being executed on remote database server.
Examples
========
Python
""""""
2023-09-11 16:15:03 +01:00
.. code-block :: python
2024-02-23 16:49:01 +00:00
from primaite.simulator.network.hardware.nodes.host.computer import Computer
from primaite.simulator.network.hardware.node_operating_state import NodeOperatingState
from primaite.simulator.system.applications.red_applications.data_manipulation_bot import DataManipulationBot
2024-03-03 11:47:50 +00:00
from primaite.simulator.system.applications.database_client import DatabaseClient
2024-02-23 16:49:01 +00:00
2023-09-11 16:15:03 +01:00
client_1 = Computer(
2023-11-27 11:38:03 +00:00
hostname="client_1",
ip_address="192.168.10.21",
subnet_mask="255.255.255.0",
2024-02-23 16:49:01 +00:00
default_gateway="192.168.10.1",
2023-11-27 11:38:03 +00:00
operating_state=NodeOperatingState.ON # initialise the computer in an ON state
2023-09-11 16:15:03 +01:00
)
#2248 - Enhances the PrimAITE documentation, covering the Node, network interfaces, Session Manager, Software Manager, PCAP service, SysLog functionality, and network devices like Routers, Switches, Computers, and Switch Nodes. It details their roles, workflows, and integration within the simulation, focusing on frame processing, software management, and logging. The documentation also clarifies the frame reception process, including port checks and application-level dispatching, ensuring a thorough understanding of network operations within the simulation
2024-02-08 22:37:21 +00:00
network.connect(endpoint_b=client_1.network_interface[1], endpoint_a=switch_2.network_interface[1])
2024-03-03 11:47:50 +00:00
client_1.software_manager.install(DatabaseClient)
2023-09-11 16:15:03 +01:00
client_1.software_manager.install(DataManipulationBot)
2023-11-30 13:48:57 +00:00
data_manipulation_bot: DataManipulationBot = client_1.software_manager.software.get("DataManipulationBot")
2023-11-18 03:40:08 +00:00
data_manipulation_bot.configure(server_ip_address=IPv4Address("192.168.1.14"), payload="DELETE")
2023-09-11 16:15:03 +01:00
data_manipulation_bot.run()
2024-02-29 15:20:54 +00:00
This would connect to the database service at 192.168.1.14, authenticate, and execute the SQL statement to delete database contents.
2023-09-11 16:15:03 +01:00
2023-11-24 15:15:24 +00:00
Example with `` DataManipulationAgent ``
2024-02-23 16:49:01 +00:00
""""""""""""""""""""""""""""""""""""""
2023-11-24 15:15:24 +00:00
If not using the data manipulation bot manually, it needs to be used with a data manipulation agent. Below is an example section of configuration file for setting up a simulation with data manipulation bot and agent.
.. code-block :: yaml
2024-02-23 16:49:01 +00:00
game:
2023-11-24 15:15:24 +00:00
# ...
agents:
- ref: data_manipulation_red_bot
team: RED
type: RedDatabaseCorruptingAgent
observation_space:
type: UC2RedObservation
options:
nodes:
2024-02-28 15:08:00 +00:00
- node_name: client_1
2023-11-24 15:15:24 +00:00
observations:
- logon_status
- operating_status
applications:
- application_ref: data_manipulation_bot
observations:
operating_status
health_status
folders: {}
action_space:
action_list:
- type: DONOTHING
- type: NODE_APPLICATION_EXECUTE
options:
nodes:
2024-02-28 15:08:00 +00:00
- node_name: client_1
2023-11-24 15:15:24 +00:00
applications:
- application_ref: data_manipulation_bot
max_folders_per_node: 1
max_files_per_folder: 1
max_services_per_node: 1
reward_function:
reward_components:
- type: DUMMY
agent_settings:
start_settings:
start_step: 25
frequency: 20
variance: 5
# ...
simulation:
network:
nodes:
- ref: client_1
type: computer
# ... additional configuration here
applications:
- ref: data_manipulation_bot
type: DataManipulationBot
options:
port_scan_p_of_success: 0.1
data_manipulation_p_of_success: 0.1
payload: "DELETE"
server_ip: 192.168.1.14
2024-03-03 11:47:50 +00:00
- ref: web_server_database_client
type: DatabaseClient
options:
db_server_ip: 192.168.1.14
2023-11-24 15:15:24 +00:00
2024-02-23 16:49:01 +00:00
Configuration
=============
2023-09-11 16:15:03 +01:00
2024-02-23 16:49:01 +00:00
`` server_ip ``
"""""""""""""
IP address of the :ref: `DatabaseService` which the `` DataManipulationBot `` will try to attack.
This must be a valid octet i.e. in the range of `` 0.0.0.0 `` and `` 255.255.255.255 `` .
`` server_password ``
"""""""""""""""""""
Optional. Default value is `` None `` .
The password that the `` DataManipulationBot `` will use to access the :ref: `DatabaseService` .
`` payload ``
"""""""""""
Optional. Default value is `` DELETE `` .
The payload that the `` DataManipulationBot `` will send to the :ref: `DatabaseService` .
2024-02-26 11:35:17 +00:00
.. include :: ../common/db_payload_list.rst
2024-02-23 16:49:01 +00:00
`` port_scan_p_of_success ``
""""""""""""""""""""""""""
Optional. Default value is `` 0.1 `` .
The chance of the `` DataManipulationBot `` to succeed with a port scan (and therefore continue the attack).
This must be a float value between `` 0 `` and `` 1 `` .
`` data_manipulation_p_of_success ``
""""""""""""""""""""""""""""""""""
Optional. Default value is `` 0.1 `` .
The chance of the `` DataManipulationBot `` to succeed with a data manipulation attack.
This must be a float value between `` 0 `` and `` 1 `` .
2024-09-05 08:41:04 +01:00
`` Common Attributes ``
2024-09-05 11:23:52 +01:00
^^^^^^^^^^^^^^^^^^^^^
2024-09-05 08:41:04 +01:00
See :ref: `Common Configuration`
