Merge pull request #369 from VakarisZ/attack_execution_api

T1106 Execution through API
This commit is contained in:
Itay Mizeretz 2019-08-04 10:17:51 +03:00 committed by GitHub
commit 3d97324137
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 89 additions and 12 deletions

View File

@ -15,6 +15,9 @@ class UsageEnum(Enum):
ScanStatus.SCANNED.value: "SMB exploiter failed to run the monkey by creating a service via MS-SCMR."} ScanStatus.SCANNED.value: "SMB exploiter failed to run the monkey by creating a service via MS-SCMR."}
MIMIKATZ = {ScanStatus.USED.value: "Windows module loader was used to load Mimikatz DLL.", MIMIKATZ = {ScanStatus.USED.value: "Windows module loader was used to load Mimikatz DLL.",
ScanStatus.SCANNED.value: "Monkey tried to load Mimikatz DLL, but failed."} ScanStatus.SCANNED.value: "Monkey tried to load Mimikatz DLL, but failed."}
MIMIKATZ_WINAPI = {ScanStatus.USED.value: "WinAPI was called to load mimikatz.",
ScanStatus.SCANNED.value: "Monkey tried to call WinAPI to load mimikatz."}
DROPPER = {ScanStatus.USED.value: "WinAPI was used to mark monkey files for deletion on next boot."}
# Dict that describes what BITS job was used for # Dict that describes what BITS job was used for

View File

@ -125,6 +125,7 @@ class ControlClient(object):
@staticmethod @staticmethod
def send_telemetry(telem_category, data): def send_telemetry(telem_category, data):
if not WormConfiguration.current_server: if not WormConfiguration.current_server:
LOG.error("Trying to send %s telemetry before current server is established, aborting." % telem_category)
return return
try: try:
telemetry = {'monkey_guid': GUID, 'telem_category': telem_category, 'data': data} telemetry = {'monkey_guid': GUID, 'telem_category': telem_category, 'data': data}

View File

@ -14,6 +14,8 @@ from infection_monkey.config import WormConfiguration
from infection_monkey.exploit.tools import build_monkey_commandline_explicitly from infection_monkey.exploit.tools import build_monkey_commandline_explicitly
from infection_monkey.model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX from infection_monkey.model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX
from infection_monkey.system_info import SystemInfoCollector, OperatingSystem from infection_monkey.system_info import SystemInfoCollector, OperatingSystem
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
from common.utils.attack_utils import ScanStatus, UsageEnum
if "win32" == sys.platform: if "win32" == sys.platform:
from win32process import DETACHED_PROCESS from win32process import DETACHED_PROCESS
@ -156,5 +158,6 @@ class MonkeyDrops(object):
else: else:
LOG.debug("Dropper source file '%s' is marked for deletion on next boot", LOG.debug("Dropper source file '%s' is marked for deletion on next boot",
self._config['source_path']) self._config['source_path'])
T1106Telem(ScanStatus.USED, UsageEnum.DROPPER.name).send()
except AttributeError: except AttributeError:
LOG.error("Invalid configuration options. Failing") LOG.error("Invalid configuration options. Failing")

View File

@ -7,6 +7,7 @@ import zipfile
import infection_monkey.config import infection_monkey.config
from common.utils.attack_utils import ScanStatus, UsageEnum from common.utils.attack_utils import ScanStatus, UsageEnum
from infection_monkey.telemetry.attack.t1129_telem import T1129Telem from infection_monkey.telemetry.attack.t1129_telem import T1129Telem
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
from infection_monkey.pyinstaller_utils import get_binary_file_path, get_binaries_dir_path from infection_monkey.pyinstaller_utils import get_binary_file_path, get_binaries_dir_path
__author__ = 'itay.mizeretz' __author__ = 'itay.mizeretz'
@ -54,8 +55,10 @@ class MimikatzCollector(object):
except Exception: except Exception:
LOG.exception("Error initializing mimikatz collector") LOG.exception("Error initializing mimikatz collector")
status = ScanStatus.SCANNED status = ScanStatus.SCANNED
T1106Telem(status, UsageEnum.MIMIKATZ_WINAPI.name).send()
T1129Telem(status, UsageEnum.MIMIKATZ).send() T1129Telem(status, UsageEnum.MIMIKATZ).send()
def get_logon_info(self): def get_logon_info(self):
""" """
Gets the logon info from mimikatz. Gets the logon info from mimikatz.

View File

@ -46,17 +46,14 @@ class WindowsSystemSingleton(_SystemSingleton):
if not handle: if not handle:
LOG.error("Cannot acquire system singleton %r, unknown error %d", LOG.error("Cannot acquire system singleton %r, unknown error %d",
self._mutex_name, last_error) self._mutex_name, last_error)
return False return False
if winerror.ERROR_ALREADY_EXISTS == last_error: if winerror.ERROR_ALREADY_EXISTS == last_error:
LOG.debug("Cannot acquire system singleton %r, mutex already exist", LOG.debug("Cannot acquire system singleton %r, mutex already exist",
self._mutex_name) self._mutex_name)
return False return False
self._mutex_handle = handle self._mutex_handle = handle
LOG.debug("Global singleton mutex %r acquired", LOG.debug("Global singleton mutex %r acquired",
self._mutex_name) self._mutex_name)

View File

@ -0,0 +1,11 @@
from infection_monkey.telemetry.attack.usage_telem import UsageTelem
class T1106Telem(UsageTelem):
def __init__(self, status, usage):
"""
T1106 telemetry.
:param status: ScanStatus of technique
:param usage: Enum name of UsageEnum
"""
super(T1106Telem, self).__init__("T1106", status, usage)

View File

@ -1,7 +1,7 @@
import logging import logging
from monkey_island.cc.models import Monkey from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1107, T1065, T1035, T1129 from monkey_island.cc.services.attack.technique_reports import T1145, T1035, T1129, T1106, T1107, T1065
from monkey_island.cc.services.attack.attack_config import AttackConfig from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo from monkey_island.cc.database import mongo
@ -21,6 +21,7 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1145': T1145.T1145, 'T1145': T1145.T1145,
'T1035': T1035.T1035, 'T1035': T1035.T1035,
'T1129': T1129.T1129, 'T1129': T1129.T1129,
'T1106': T1106.T1106,
'T1107': T1107.T1107, 'T1107': T1107.T1107,
'T1065': T1065.T1065} 'T1065': T1065.T1065}

View File

@ -125,6 +125,15 @@ SCHEMA = {
"local paths and arbitrary Universal Naming Convention (UNC) network paths.", "local paths and arbitrary Universal Naming Convention (UNC) network paths.",
"depends_on": ["T1078", "T1003"] "depends_on": ["T1078", "T1003"]
}, },
"T1106": {
"title": "T1106 Execution through API",
"type": "bool",
"value": True,
"necessary": False,
"description": "Adversary tools may directly use the Windows application "
"programming interface (API) to execute binaries.",
"depends_on": ["T1210"]
},
"T1059": { "T1059": {
"title": "T1059 Command line interface", "title": "T1059 Command line interface",
"type": "bool", "type": "bool",

View File

@ -13,7 +13,5 @@ class T1035(UsageTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = T1035.get_tech_base_data() data = T1035.get_tech_base_data()
services = list(mongo.db.telemetry.aggregate(T1035.get_usage_query())) data.update({'services': T1035.get_usage_data()})
services = list(map(T1035.parse_usages, services))
data.update({'services': services})
return data return data

View File

@ -0,0 +1,16 @@
from monkey_island.cc.services.attack.technique_reports import UsageTechnique
__author__ = "VakarisZ"
class T1106(UsageTechnique):
tech_id = "T1106"
unscanned_msg = "Monkey didn't try to directly use WinAPI."
scanned_msg = "Monkey tried to use WinAPI, but failed."
used_msg = "Monkey successfully used WinAPI."
@staticmethod
def get_report_data():
data = T1106.get_tech_base_data()
data.update({'api_uses': T1106.get_usage_data()})
return data

View File

@ -13,7 +13,5 @@ class T1129(UsageTechnique):
@staticmethod @staticmethod
def get_report_data(): def get_report_data():
data = T1129.get_tech_base_data() data = T1129.get_tech_base_data()
dlls = list(mongo.db.telemetry.aggregate(T1129.get_usage_query())) data.update({'dlls': T1129.get_usage_data()})
dlls = list(map(T1129.parse_usages, dlls))
data.update({'dlls': dlls})
return data return data

View File

@ -134,6 +134,11 @@ class UsageTechnique(AttackTechnique):
"Check if usage enum field exists and covers all telem. statuses.") "Check if usage enum field exists and covers all telem. statuses.")
return usage return usage
@classmethod
def get_usage_data(cls):
data = list(mongo.db.telemetry.aggregate(cls.get_usage_query()))
return list(map(cls.parse_usages, data))
@classmethod @classmethod
def get_usage_query(cls): def get_usage_query(cls):
""" """

View File

@ -22,7 +22,7 @@ SCHEMA = {
"WmiExploiter" "WmiExploiter"
], ],
"title": "WMI Exploiter", "title": "WMI Exploiter",
"attack_techniques": ["T1110"] "attack_techniques": ["T1110", "T1106"]
}, },
{ {
"type": "string", "type": "string",
@ -54,7 +54,7 @@ SCHEMA = {
"SSHExploiter" "SSHExploiter"
], ],
"title": "SSH Exploiter", "title": "SSH Exploiter",
"attack_techniques": ["T1110", "T1145"] "attack_techniques": ["T1110", "T1145", "T1106"]
}, },
{ {
"type": "string", "type": "string",

View File

@ -0,0 +1,30 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import { getUsageColumns } from "./Helpers"
class T1106 extends React.Component {
constructor(props) {
super(props);
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.api_uses.length !== 0 ?
<ReactTable
columns={getUsageColumns()}
data={this.props.data.api_uses}
showPagination={false}
defaultPageSize={this.props.data.api_uses.length}
/> : ""}
</div>
);
}
}
export default T1106;

View File

@ -19,6 +19,7 @@ import T1107 from "../attack/techniques/T1107";
import T1065 from "../attack/techniques/T1065"; import T1065 from "../attack/techniques/T1065";
import T1035 from "../attack/techniques/T1035"; import T1035 from "../attack/techniques/T1035";
import T1129 from "../attack/techniques/T1129"; import T1129 from "../attack/techniques/T1129";
import T1106 from "../attack/techniques/T1106";
const tech_components = { const tech_components = {
'T1210': T1210, 'T1210': T1210,
@ -32,6 +33,7 @@ const tech_components = {
'T1145': T1145, 'T1145': T1145,
'T1035': T1035, 'T1035': T1035,
'T1129': T1129, 'T1129': T1129,
'T1106': T1106,
'T1107': T1107, 'T1107': T1107,
'T1065': T1065 'T1065': T1065
}; };