Merge pull request #1902 from guardicore/1860-fake-users-mimikatz
Fix fake user addition to the config because of Mimikatz
This commit is contained in:
commit
526448cec9
|
@ -78,6 +78,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- A bug where T1216_random_executable.exe was copied to disk even if the signed
|
||||
script proxy execution PBA was disabled. #1864
|
||||
- Unnecessary collection of kerberos credentials. #1771
|
||||
- A bug where bogus users were collected by Mimikatz and added to the config. #1860
|
||||
|
||||
|
||||
### Security
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
import logging
|
||||
from typing import Sequence
|
||||
|
||||
from model import USERNAME_PREFIX
|
||||
|
||||
from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username
|
||||
from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector
|
||||
|
||||
|
@ -23,7 +25,11 @@ class MimikatzCredentialCollector(ICredentialCollector):
|
|||
for win_cred in win_creds:
|
||||
identities = []
|
||||
secrets = []
|
||||
if win_cred.username:
|
||||
|
||||
# Mimikatz picks up users created by the Monkey even if they're successfully deleted
|
||||
# since it picks up creds from the registry. The newly created users are not removed
|
||||
# from the registry until a reboot of the system, hence this check.
|
||||
if win_cred.username and not win_cred.username.startswith(USERNAME_PREFIX):
|
||||
identity = Username(win_cred.username)
|
||||
identities.append(identity)
|
||||
|
||||
|
|
|
@ -5,6 +5,9 @@ MONKEY_ARG = "m0nk3y"
|
|||
DROPPER_ARG = "dr0pp3r"
|
||||
ID_STRING = "M0NK3Y3XPL0ITABLE"
|
||||
|
||||
# Username prefix for users created by Infection Monkey
|
||||
USERNAME_PREFIX = "somenewuser"
|
||||
|
||||
# CMD prefix for windows commands
|
||||
CMD_EXE = "cmd.exe"
|
||||
CMD_CARRY_OUT = "/c"
|
||||
|
|
|
@ -5,6 +5,8 @@ import string
|
|||
import subprocess
|
||||
from typing import Dict
|
||||
|
||||
from model import USERNAME_PREFIX
|
||||
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from infection_monkey.i_puppet.i_puppet import PostBreachData
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
|
@ -23,8 +25,6 @@ CREATED_PROCESS_AS_USER_FAILED_FORMAT = (
|
|||
"Created process '{}' as user '{}', but the process failed (exit status {}:{})."
|
||||
)
|
||||
|
||||
USERNAME_PREFIX = "somenewuser"
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue