Merge pull request #1902 from guardicore/1860-fake-users-mimikatz
Fix fake user addition to the config because of Mimikatz
This commit is contained in:
commit
526448cec9
|
@ -78,6 +78,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- A bug where T1216_random_executable.exe was copied to disk even if the signed
|
- A bug where T1216_random_executable.exe was copied to disk even if the signed
|
||||||
script proxy execution PBA was disabled. #1864
|
script proxy execution PBA was disabled. #1864
|
||||||
- Unnecessary collection of kerberos credentials. #1771
|
- Unnecessary collection of kerberos credentials. #1771
|
||||||
|
- A bug where bogus users were collected by Mimikatz and added to the config. #1860
|
||||||
|
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
import logging
|
import logging
|
||||||
from typing import Sequence
|
from typing import Sequence
|
||||||
|
|
||||||
|
from model import USERNAME_PREFIX
|
||||||
|
|
||||||
from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username
|
from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username
|
||||||
from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector
|
from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector
|
||||||
|
|
||||||
|
@ -23,7 +25,11 @@ class MimikatzCredentialCollector(ICredentialCollector):
|
||||||
for win_cred in win_creds:
|
for win_cred in win_creds:
|
||||||
identities = []
|
identities = []
|
||||||
secrets = []
|
secrets = []
|
||||||
if win_cred.username:
|
|
||||||
|
# Mimikatz picks up users created by the Monkey even if they're successfully deleted
|
||||||
|
# since it picks up creds from the registry. The newly created users are not removed
|
||||||
|
# from the registry until a reboot of the system, hence this check.
|
||||||
|
if win_cred.username and not win_cred.username.startswith(USERNAME_PREFIX):
|
||||||
identity = Username(win_cred.username)
|
identity = Username(win_cred.username)
|
||||||
identities.append(identity)
|
identities.append(identity)
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,9 @@ MONKEY_ARG = "m0nk3y"
|
||||||
DROPPER_ARG = "dr0pp3r"
|
DROPPER_ARG = "dr0pp3r"
|
||||||
ID_STRING = "M0NK3Y3XPL0ITABLE"
|
ID_STRING = "M0NK3Y3XPL0ITABLE"
|
||||||
|
|
||||||
|
# Username prefix for users created by Infection Monkey
|
||||||
|
USERNAME_PREFIX = "somenewuser"
|
||||||
|
|
||||||
# CMD prefix for windows commands
|
# CMD prefix for windows commands
|
||||||
CMD_EXE = "cmd.exe"
|
CMD_EXE = "cmd.exe"
|
||||||
CMD_CARRY_OUT = "/c"
|
CMD_CARRY_OUT = "/c"
|
||||||
|
|
|
@ -5,6 +5,8 @@ import string
|
||||||
import subprocess
|
import subprocess
|
||||||
from typing import Dict
|
from typing import Dict
|
||||||
|
|
||||||
|
from model import USERNAME_PREFIX
|
||||||
|
|
||||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||||
from infection_monkey.i_puppet.i_puppet import PostBreachData
|
from infection_monkey.i_puppet.i_puppet import PostBreachData
|
||||||
from infection_monkey.post_breach.pba import PBA
|
from infection_monkey.post_breach.pba import PBA
|
||||||
|
@ -23,8 +25,6 @@ CREATED_PROCESS_AS_USER_FAILED_FORMAT = (
|
||||||
"Created process '{}' as user '{}', but the process failed (exit status {}:{})."
|
"Created process '{}' as user '{}', but the process failed (exit status {}:{})."
|
||||||
)
|
)
|
||||||
|
|
||||||
USERNAME_PREFIX = "somenewuser"
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue