diff --git a/.travis.yml b/.travis.yml
index c7b12ca86..6640812b4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -65,7 +65,7 @@ script:
- cd monkey_island/cc/ui
- npm ci # See https://docs.npmjs.com/cli/ci.html
- eslint ./src --quiet # Test for errors
-- JS_WARNINGS_AMOUNT_UPPER_LIMIT=490
+- JS_WARNINGS_AMOUNT_UPPER_LIMIT=90
- eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT # Test for max warnings
after_success:
diff --git a/monkey/common/data/post_breach_consts.py b/monkey/common/data/post_breach_consts.py
index dee4f67d0..1e36f9e20 100644
--- a/monkey/common/data/post_breach_consts.py
+++ b/monkey/common/data/post_breach_consts.py
@@ -1,3 +1,4 @@
POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user"
POST_BREACH_BACKDOOR_USER = "Backdoor user"
POST_BREACH_FILE_EXECUTION = "File execution"
+POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file"
diff --git a/monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py b/monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py
new file mode 100644
index 000000000..095c7cb11
--- /dev/null
+++ b/monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py
@@ -0,0 +1,44 @@
+from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
+from infection_monkey.post_breach.pba import PBA
+from infection_monkey.post_breach.shell_startup_files.shell_startup_files_modification import\
+ get_commands_to_modify_shell_startup_files
+
+
+class ModifyShellStartupFiles(PBA):
+ """
+ This PBA attempts to modify shell startup files,
+ like ~/.profile, ~/.bashrc, ~/.bash_profile in linux,
+ and profile.ps1 in windows.
+ """
+
+ def run(self):
+ [pba.run() for pba in self.modify_shell_startup_PBA_list()]
+
+ def modify_shell_startup_PBA_list(self):
+ return ShellStartupPBAGenerator.get_modify_shell_startup_pbas()
+
+
+class ShellStartupPBAGenerator():
+ def get_modify_shell_startup_pbas():
+ (cmds_for_linux, shell_startup_files_for_linux, usernames_for_linux),\
+ (cmds_for_windows, shell_startup_files_per_user_for_windows) = get_commands_to_modify_shell_startup_files()
+
+ pbas = []
+
+ for startup_file_per_user in shell_startup_files_per_user_for_windows:
+ windows_cmds = ' '.join(cmds_for_windows).format(startup_file_per_user)
+ pbas.append(ModifyShellStartupFile(linux_cmds='', windows_cmds=['powershell.exe', windows_cmds]))
+
+ for username in usernames_for_linux:
+ for shell_startup_file in shell_startup_files_for_linux:
+ linux_cmds = ' '.join(cmds_for_linux).format(shell_startup_file).format(username)
+ pbas.append(ModifyShellStartupFile(linux_cmds=linux_cmds, windows_cmds=''))
+
+ return pbas
+
+
+class ModifyShellStartupFile(PBA):
+ def __init__(self, linux_cmds, windows_cmds):
+ super(ModifyShellStartupFile, self).__init__(name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
+ linux_cmd=linux_cmds,
+ windows_cmd=windows_cmds)
diff --git a/monkey/infection_monkey/post_breach/pba.py b/monkey/infection_monkey/post_breach/pba.py
index 3d8da9dab..e5a91b733 100644
--- a/monkey/infection_monkey/post_breach/pba.py
+++ b/monkey/infection_monkey/post_breach/pba.py
@@ -57,11 +57,12 @@ class PBA(Plugin):
"""
Runs post breach action command
"""
- exec_funct = self._execute_default
- result = exec_funct()
- if self.scripts_were_used_successfully(result):
- T1064Telem(ScanStatus.USED, "Scripts were used to execute %s post breach action." % self.name).send()
- PostBreachTelem(self, result).send()
+ if self.command:
+ exec_funct = self._execute_default
+ result = exec_funct()
+ if self.scripts_were_used_successfully(result):
+ T1064Telem(ScanStatus.USED, "Scripts were used to execute %s post breach action." % self.name).send()
+ PostBreachTelem(self, result).send()
def is_script(self):
"""
diff --git a/monkey/infection_monkey/post_breach/shell_startup_files/linux/shell_startup_files_modification.py b/monkey/infection_monkey/post_breach/shell_startup_files/linux/shell_startup_files_modification.py
new file mode 100644
index 000000000..8a1ed7246
--- /dev/null
+++ b/monkey/infection_monkey/post_breach/shell_startup_files/linux/shell_startup_files_modification.py
@@ -0,0 +1,39 @@
+import subprocess
+from infection_monkey.utils.environment import is_windows_os
+
+
+def get_linux_commands_to_modify_shell_startup_files():
+ if is_windows_os():
+ return '', [], []
+
+ HOME_DIR = "/home/"
+
+ # get list of usernames
+ USERS = subprocess.check_output(
+ "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1",
+ shell=True
+ ).decode().split('\n')[:-1]
+
+ # get list of paths of different shell startup files with place for username
+ STARTUP_FILES = [
+ file_path.format(HOME_DIR) for file_path in
+ [
+ "{0}{{0}}/.profile", # bash, dash, ksh, sh
+ "{0}{{0}}/.bashrc", # bash
+ "{0}{{0}}/.bash_profile",
+ "{0}{{0}}/.config/fish/config.fish", # fish
+ "{0}{{0}}/.zshrc", # zsh
+ "{0}{{0}}/.zshenv",
+ "{0}{{0}}/.zprofile",
+ "{0}{{0}}/.kshrc", # ksh
+ "{0}{{0}}/.tcshrc", # tcsh
+ "{0}{{0}}/.cshrc", # csh
+ ]
+ ]
+
+ return [
+ '3<{0} 3<&- &&', # check for existence of file
+ 'echo \"# Succesfully modified {0}\" |',
+ 'tee -a {0} &&', # append to file
+ 'sed -i \'$d\' {0}', # remove last line of file (undo changes)
+ ], STARTUP_FILES, USERS
diff --git a/monkey/infection_monkey/post_breach/shell_startup_files/shell_startup_files_modification.py b/monkey/infection_monkey/post_breach/shell_startup_files/shell_startup_files_modification.py
new file mode 100644
index 000000000..bc83ec499
--- /dev/null
+++ b/monkey/infection_monkey/post_breach/shell_startup_files/shell_startup_files_modification.py
@@ -0,0 +1,10 @@
+from infection_monkey.post_breach.shell_startup_files.linux.shell_startup_files_modification import\
+ get_linux_commands_to_modify_shell_startup_files
+from infection_monkey.post_breach.shell_startup_files.windows.shell_startup_files_modification import\
+ get_windows_commands_to_modify_shell_startup_files
+
+
+def get_commands_to_modify_shell_startup_files():
+ linux_cmds = get_linux_commands_to_modify_shell_startup_files()
+ windows_cmds = get_windows_commands_to_modify_shell_startup_files()
+ return linux_cmds, windows_cmds
diff --git a/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py b/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py
new file mode 100644
index 000000000..a9116c221
--- /dev/null
+++ b/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py
@@ -0,0 +1,27 @@
+import subprocess
+from infection_monkey.utils.environment import is_windows_os
+
+
+def get_windows_commands_to_modify_shell_startup_files():
+ if not is_windows_os():
+ return '', []
+
+ # get powershell startup file path
+ SHELL_STARTUP_FILE = subprocess.check_output('powershell $Profile').decode().split("\r\n")[0]
+ SHELL_STARTUP_FILE_PATH_COMPONENTS = SHELL_STARTUP_FILE.split("\\")
+
+ # get list of usernames
+ USERS = subprocess.check_output('dir C:\\Users /b', shell=True).decode().split("\r\n")[:-1]
+
+ STARTUP_FILES_PER_USER = ['\\'.join(SHELL_STARTUP_FILE_PATH_COMPONENTS[:2] +
+ [user] +
+ SHELL_STARTUP_FILE_PATH_COMPONENTS[3:])
+ for user in USERS]
+
+ return [
+ 'Add-Content {0}',
+ '\"# Successfully modified {0}\" ;', # add line to $profile
+ 'cat {0} | Select -last 1 ;', # print last line of $profile
+ '$OldProfile = cat {0} | Select -skiplast 1 ;',
+ 'Set-Content {0} -Value $OldProfile ;' # remove last line of $profile
+ ], STARTUP_FILES_PER_USER
diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py
index c7130158b..b2ad3234a 100644
--- a/monkey/monkey_island/cc/services/attack/attack_report.py
+++ b/monkey/monkey_island/cc/services/attack/attack_report.py
@@ -4,7 +4,7 @@ from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
-from monkey_island.cc.services.attack.technique_reports import T1136
+from monkey_island.cc.services.attack.technique_reports import T1136, T1156, T1504
from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo
from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report
@@ -37,7 +37,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1016': T1016.T1016,
'T1021': T1021.T1021,
'T1064': T1064.T1064,
- 'T1136': T1136.T1136
+ 'T1136': T1136.T1136,
+ 'T1156': T1156.T1156,
+ 'T1504': T1504.T1504
}
REPORT_NAME = 'new_report'
diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py
index 177dc9eaa..99e8dcfd2 100644
--- a/monkey/monkey_island/cc/services/attack/attack_schema.py
+++ b/monkey/monkey_island/cc/services/attack/attack_schema.py
@@ -71,6 +71,16 @@ SCHEMA = {
"type": "object",
"link": "https://attack.mitre.org/tactics/TA0003/",
"properties": {
+ "T1156": {
+ "title": ".bash_profile and .bashrc",
+ "type": "bool",
+ "value": True,
+ "necessary": False,
+ "link": "https://attack.mitre.org/techniques/T1156",
+ "description": "Adversaries may abuse shell scripts by "
+ "inserting arbitrary shell commands to gain persistence, which "
+ "would be executed every time the user logs in or opens a new shell."
+ },
"T1136": {
"title": "Create account",
"type": "bool",
@@ -79,6 +89,16 @@ SCHEMA = {
"link": "https://attack.mitre.org/techniques/T1136",
"description": "Adversaries with a sufficient level of access "
"may create a local system, domain, or cloud tenant account."
+ },
+ "T1504": {
+ "title": "PowerShell profile",
+ "type": "bool",
+ "value": True,
+ "necessary": False,
+ "link": "https://attack.mitre.org/techniques/T1504",
+ "description": "Adversaries may gain persistence and elevate privileges "
+ "in certain situations by abusing PowerShell profiles which "
+ "are scripts that run when PowerShell starts."
}
}
},
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
new file mode 100644
index 000000000..a1719c909
--- /dev/null
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
@@ -0,0 +1,38 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from monkey_island.cc.database import mongo
+from common.utils.attack_utils import ScanStatus
+from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
+
+
+__author__ = "shreyamalviya"
+
+
+class T1156(AttackTechnique):
+ tech_id = "T1156"
+ unscanned_msg = "Monkey did not try modifying bash startup files on the system."
+ scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
+ used_msg = "Monkey modified bash startup files on the system."
+
+ query = [{'$match': {'telem_category': 'post_breach',
+ 'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
+ 'data.command': {'$regex': 'bash'}}},
+ {'$project': {'_id': 0,
+ 'machine': {'hostname': '$data.hostname',
+ 'ips': ['$data.ip']},
+ 'result': '$data.result'}}]
+
+ @staticmethod
+ def get_report_data():
+ data = {'title': T1156.technique_title(), 'info': []}
+
+ bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
+
+ status = []
+ for pba_node in bash_modification_info:
+ status.append(pba_node['result'][1])
+ status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
+ if status else ScanStatus.UNSCANNED.value
+
+ data.update(T1156.get_base_data_by_status(status))
+ data.update({'info': bash_modification_info})
+ return data
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
new file mode 100644
index 000000000..396067f17
--- /dev/null
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
@@ -0,0 +1,38 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from monkey_island.cc.database import mongo
+from common.utils.attack_utils import ScanStatus
+from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
+
+
+__author__ = "shreyamalviya"
+
+
+class T1504(AttackTechnique):
+ tech_id = "T1504"
+ unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
+ scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
+ used_msg = "Monkey modified powershell startup files on the system."
+
+ query = [{'$match': {'telem_category': 'post_breach',
+ 'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
+ 'data.command': {'$regex': 'powershell'}}},
+ {'$project': {'_id': 0,
+ 'machine': {'hostname': '$data.hostname',
+ 'ips': ['$data.ip']},
+ 'result': '$data.result'}}]
+
+ @staticmethod
+ def get_report_data():
+ data = {'title': T1504.technique_title(), 'info': []}
+
+ powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
+
+ status = []
+ for pba_node in powershell_profile_modification_info:
+ status.append(pba_node['result'][1])
+ status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
+ if status else ScanStatus.UNSCANNED.value
+
+ data.update(T1504.get_base_data_by_status(status))
+ data.update({'info': powershell_profile_modification_info})
+ return data
diff --git a/monkey/monkey_island/cc/services/config_schema.py b/monkey/monkey_island/cc/services/config_schema.py
index b6668af38..e37f3a75f 100644
--- a/monkey/monkey_island/cc/services/config_schema.py
+++ b/monkey/monkey_island/cc/services/config_schema.py
@@ -160,6 +160,14 @@ SCHEMA = {
"title": "Communicate as new user",
"attack_techniques": ["T1136"]
},
+ {
+ "type": "string",
+ "enum": [
+ "ModifyShellStartupFiles"
+ ],
+ "title": "Modify shell startup files",
+ "attack_techniques": ["T1156", "T1504"]
+ }
],
},
"finger_classes": {
@@ -379,7 +387,8 @@ SCHEMA = {
},
"default": [
"BackdoorUser",
- "CommunicateAsNewUser"
+ "CommunicateAsNewUser",
+ "ModifyShellStartupFiles"
],
"description": "List of actions the Monkey will run post breach"
},
diff --git a/monkey/monkey_island/cc/ui/.eslintrc b/monkey/monkey_island/cc/ui/.eslintrc
index c784bd178..ff1695a1c 100644
--- a/monkey/monkey_island/cc/ui/.eslintrc
+++ b/monkey/monkey_island/cc/ui/.eslintrc
@@ -53,7 +53,7 @@
"react/jsx-uses-react": 1,
"react/jsx-uses-vars": 1,
"react/jsx-key": 1,
- "react/prop-types": 1,
+ "react/prop-types": 0,
"react/no-unescaped-entities": 1,
"react/no-unknown-property": [1, { "ignore": ["class"] }],
"react/no-string-refs": 1,
diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1156.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1156.js
new file mode 100644
index 000000000..ce136284c
--- /dev/null
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1156.js
@@ -0,0 +1,45 @@
+import React from 'react';
+import ReactTable from 'react-table';
+import {renderMachineFromSystemData, ScanStatus} from './Helpers';
+import MitigationsComponent from './MitigationsComponent';
+
+class T1156 extends React.Component {
+
+ constructor(props) {
+ super(props);
+ }
+
+ static getColumns() {
+ return ([{
+ columns: [
+ { Header: 'Machine',
+ id: 'machine',
+ accessor: x => renderMachineFromSystemData(x.machine),
+ style: {'whiteSpace': 'unset'}},
+ { Header: 'Result',
+ id: 'result',
+ accessor: x => x.result,
+ style: {'whiteSpace': 'unset'}}
+ ]
+ }])
+ }
+
+ render() {
+ return (
+
+
{this.props.data.message}
+
+ {this.props.data.status === ScanStatus.USED ?
+
: ''}
+
+
+
{this.props.data.message}
+
+ {this.props.data.status === ScanStatus.USED ?
+
: ''}
+
+