Add T1216 (signed script proxy execution)

monkey/common/data/post_breach_consts.py

@@ -6,3 +6,4 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories"
 POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
 POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
 POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
+POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC = "Signed script proxy execution"

monkey/infection_monkey/post_breach/actions/use_signed_scripts.py

@@ -0,0 +1,13 @@
+from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
+from infection_monkey.post_breach.pba import PBA
+from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import (
+    cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
+
+
+class SignedScriptProxyExecution(PBA):
+    def __init__(self):
+        windows_cmds = get_commands_to_proxy_execution_using_signed_script()
+        super().__init__(POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC,
+                         windows_cmd=' '.join(windows_cmds))
+
+        cleanup_changes()

monkey/infection_monkey/post_breach/signed_script_proxy/signed_script_proxy.py

@@ -0,0 +1,16 @@
+import subprocess
+
+from infection_monkey.post_breach.signed_script_proxy.windows.signed_script_proxy import (
+    get_windows_commands_to_proxy_execution_using_signed_script,
+    get_windows_commands_to_reset_comspec)
+from infection_monkey.utils.environment import is_windows_os
+
+
+def get_commands_to_proxy_execution_using_signed_script():
+    windows_cmds = get_windows_commands_to_proxy_execution_using_signed_script()
+    return windows_cmds
+
+
+def cleanup_changes():
+    if is_windows_os():
+        subprocess.run(get_windows_commands_to_reset_comspec(), shell=True)  # noqa: DUO116

monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py

@@ -0,0 +1,16 @@
+import subprocess
+
+ORIGINAL_COMSPEC = r'C:\Windows\System32\cmd.exe'
+
+
+def get_windows_commands_to_proxy_execution_using_signed_script():
+    global ORIGINAL_COMSPEC
+    ORIGINAL_COMSPEC = subprocess.check_output('echo %COMSPEC%', shell=True).decode()  # noqa: DUO116
+    return [
+        r'set comspec=infection_monkey\post_breach\signed_script_proxy\windows\random_executable.exe &&',
+        r'cscript C:\Windows\System32\manage-bde.wsf'
+    ]
+
+
+def get_windows_commands_to_reset_comspec():
+    return f'set comspec={ORIGINAL_COMSPEC}'

monkey/monkey_island/cc/services/attack/attack_report.py

@@ -18,7 +18,8 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005,
                                                                 T1158, T1166,
                                                                 T1168, T1188,
                                                                 T1197, T1210,
-                                                                T1222, T1504)
+                                                                T1216, T1222,
+                                                                T1504)
 from monkey_island.cc.services.reporting.report_generation_synchronisation import \
     safe_generate_attack_report
 
@@ -57,7 +58,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
               'T1154': T1154.T1154,
               'T1166': T1166.T1166,
               'T1168': T1168.T1168,
-              'T1053': T1053.T1053
+              'T1053': T1053.T1053,
+              'T1216': T1216.T1216
               }
 
 REPORT_NAME = 'new_report'

monkey/monkey_island/cc/services/attack/attack_schema.py

@@ -185,6 +185,15 @@ SCHEMA = {
                     "necessary": True,
                     "link": "https://attack.mitre.org/techniques/T1222",
                     "description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
+                },
+                "T1216": {
+                    "title": "Signed script proxy execution",
+                    "type": "bool",
+                    "value": True,
+                    "necessary": False,
+                    "link": "https://attack.mitre.org/techniques/T1216",
+                    "description": "Adversaries may use scripts signed with trusted certificates to "
+                                   "proxy execution of malicious files on Windows systems."
                 }
             }
         },

monkey/monkey_island/cc/services/attack/technique_reports/T1216.py

@@ -0,0 +1,15 @@
+from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
+from monkey_island.cc.services.attack.technique_reports.pba_technique import \
+    PostBreachTechnique
+
+__author__ = "shreyamalviya"
+
+
+class T1216(PostBreachTechnique):
+    tech_id = "T1216"
+    unscanned_msg = "Monkey didn't attempt to execute an arbitrary file with the help of a " +\
+                    "pre-existing signed script since it didn't run on any Windows machines."
+    scanned_msg = "Monkey attempted to execute an arbitrary file with the help of a " +\
+                  "pre-existing signed script on Windows but failed."
+    used_msg = "Monkey executed an arbitrary file with the help of a pre-existing signed script on Windows."
+    pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]

monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py

@@ -70,6 +70,16 @@ POST_BREACH_ACTIONS = {
             "title": "Job scheduling",
             "info": "Attempts to create a scheduled job on the system and remove it.",
             "attack_techniques": ["T1168", "T1053"]
+        },
+        {
+            "type": "string",
+            "enum": [
+                "SignedScriptProxyExecution"
+            ],
+            "title": "Signed script proxy execution",
+            "info": "On Windows systems, attemps to execute an arbitrary file "
+                    "with the help of a pre-existing signed script.",
+            "attack_techniques": ["T1216"]
         }
     ]
 }

monkey/monkey_island/cc/services/config_schema/monkey.py

@@ -67,7 +67,8 @@ MONKEY = {
                         "HiddenFiles",
                         "TrapCommand",
                         "ChangeSetuidSetgid",
-                        "ScheduleJobs"
+                        "ScheduleJobs",
+                        "SignedScriptProxyExecution"
                     ]
                 },
             }

monkey/monkey_island/cc/ui/src/components/attack/techniques/T1216.js

@@ -0,0 +1,45 @@
+import React from 'react';
+import ReactTable from 'react-table';
+import {renderMachineFromSystemData, ScanStatus} from './Helpers';
+import MitigationsComponent from './MitigationsComponent';
+
+class T1216 extends React.Component {
+
+  constructor(props) {
+    super(props);
+  }
+
+  static getColumns() {
+      return ([{
+        columns: [
+            { Header: 'Machine',
+              id: 'machine',
+              accessor: x => renderMachineFromSystemData(x.machine),
+              style: {'whiteSpace': 'unset'}},
+            { Header: 'Result',
+              id: 'result',
+              accessor: x => x.result,
+              style: {'whiteSpace': 'unset'}}
+          ]
+      }])
+  }
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        {this.props.data.status === ScanStatus.USED ?
+          <ReactTable
+            columns={T1216.getColumns()}
+            data={this.props.data.info}
+            showPagination={false}
+            defaultPageSize={this.props.data.info.length}
+          /> : ''}
+          <MitigationsComponent mitigations={this.props.data.mitigations}/>
+      </div>
+    );
+  }
+}
+
+export default T1216;