From 2bcdb725551fab4b16a4c33329e81d088b8feb27 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 20 Apr 2022 17:41:57 +0530 Subject: [PATCH 1/4] Agent: Extract const USERNAME_PREFIX to a common file --- monkey/infection_monkey/consts.py | 1 + .../post_breach/actions/communicate_as_backdoor_user.py | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 monkey/infection_monkey/consts.py diff --git a/monkey/infection_monkey/consts.py b/monkey/infection_monkey/consts.py new file mode 100644 index 000000000..520f82929 --- /dev/null +++ b/monkey/infection_monkey/consts.py @@ -0,0 +1 @@ +USERNAME_PREFIX = "somenewuser" diff --git a/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py index 01843b242..15d41bc9d 100644 --- a/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py +++ b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py @@ -6,6 +6,7 @@ import subprocess from typing import Dict from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER +from infection_monkey.consts import USERNAME_PREFIX from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.post_breach.pba import PBA from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger @@ -23,8 +24,6 @@ CREATED_PROCESS_AS_USER_FAILED_FORMAT = ( "Created process '{}' as user '{}', but the process failed (exit status {}:{})." ) -USERNAME_PREFIX = "somenewuser" - logger = logging.getLogger(__name__) From 3561573a6b07bd1b292fd5f248167f0f228a7db1 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 20 Apr 2022 18:18:23 +0530 Subject: [PATCH 2/4] Agent: Check username of Mimikatz gathered creds before adding to the config since we don't want to add users created by the Monkey --- .../mimikatz_collector/mimikatz_credential_collector.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py index 1b772580d..7ce9b7581 100644 --- a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py +++ b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py @@ -1,6 +1,7 @@ import logging from typing import Sequence +from infection_monkey.consts import USERNAME_PREFIX from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector @@ -23,7 +24,11 @@ class MimikatzCredentialCollector(ICredentialCollector): for win_cred in win_creds: identities = [] secrets = [] - if win_cred.username: + + # Mimikatz picks up users created by the Monkey even if they're successfully deleted + # since it picks up creds from the registry. The newly created users are not removed + # from the registry until a reboot of the system, hence this check. + if win_cred.username and not win_cred.username.startswith(USERNAME_PREFIX): identity = Username(win_cred.username) identities.append(identity) From 9f78e0d5678c94569d83273783309764cd9f967a Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 20 Apr 2022 18:44:14 +0530 Subject: [PATCH 3/4] Changelog: Add entry for bugfix for fake users' addition to the config because of Mimikatz --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88a0467b6..3d40d5bfe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -78,6 +78,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - A bug where T1216_random_executable.exe was copied to disk even if the signed script proxy execution PBA was disabled. #1864 - Unnecessary collection of kerberos credentials. #1771 +- A bug where bogus users were collected by Mimikatz and added to the config. #1860 ### Security From a335f30c688eefbcba7a43697f585d8319c054c1 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Wed, 20 Apr 2022 17:10:59 +0300 Subject: [PATCH 4/4] Agent: Move username const to model This const is used by PBA and mimikatz collectors as describes the username prefix for users created by IM --- monkey/infection_monkey/consts.py | 1 - .../mimikatz_collector/mimikatz_credential_collector.py | 3 ++- monkey/infection_monkey/model/__init__.py | 3 +++ .../post_breach/actions/communicate_as_backdoor_user.py | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) delete mode 100644 monkey/infection_monkey/consts.py diff --git a/monkey/infection_monkey/consts.py b/monkey/infection_monkey/consts.py deleted file mode 100644 index 520f82929..000000000 --- a/monkey/infection_monkey/consts.py +++ /dev/null @@ -1 +0,0 @@ -USERNAME_PREFIX = "somenewuser" diff --git a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py index 7ce9b7581..57161c47f 100644 --- a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py +++ b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py @@ -1,7 +1,8 @@ import logging from typing import Sequence -from infection_monkey.consts import USERNAME_PREFIX +from model import USERNAME_PREFIX + from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector diff --git a/monkey/infection_monkey/model/__init__.py b/monkey/infection_monkey/model/__init__.py index 19f96cdae..3d53b5d86 100644 --- a/monkey/infection_monkey/model/__init__.py +++ b/monkey/infection_monkey/model/__init__.py @@ -5,6 +5,9 @@ MONKEY_ARG = "m0nk3y" DROPPER_ARG = "dr0pp3r" ID_STRING = "M0NK3Y3XPL0ITABLE" +# Username prefix for users created by Infection Monkey +USERNAME_PREFIX = "somenewuser" + # CMD prefix for windows commands CMD_EXE = "cmd.exe" CMD_CARRY_OUT = "/c" diff --git a/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py index 15d41bc9d..3e9c0d9ee 100644 --- a/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py +++ b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py @@ -5,8 +5,9 @@ import string import subprocess from typing import Dict +from model import USERNAME_PREFIX + from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER -from infection_monkey.consts import USERNAME_PREFIX from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.post_breach.pba import PBA from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger