Changes after manual testing
This commit is contained in:
parent
c05a48d34d
commit
9c0fc7e435
|
@ -566,8 +566,6 @@ class DumpSecrets:
|
|||
if self.__NTDS_hashes:
|
||||
self.__NTDS_hashes.finish()
|
||||
|
||||
# how to execute monkey on exploited machine
|
||||
# clean up logging
|
||||
# mention in report explicitly - machine exploited/not (return True, if yes) & password restored/not
|
||||
# mention patching details in report
|
||||
# add exploit info to documentation
|
||||
|
@ -604,7 +602,7 @@ class Wmiexec:
|
|||
oxidResolver=True)
|
||||
|
||||
try:
|
||||
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
|
||||
iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
|
||||
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
|
||||
self.iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
|
||||
iWbemLevel1Login.RemRelease()
|
||||
|
|
|
@ -12,9 +12,14 @@ class T1003(AttackTechnique):
|
|||
scanned_msg = ""
|
||||
used_msg = "Monkey successfully obtained some credentials from systems on the network."
|
||||
|
||||
query = {'telem_category': 'system_info', '$and': [{'data.credentials': {'$exists': True}},
|
||||
# $gt: {} checks if field is not an empty object
|
||||
{'data.credentials': {'$gt': {}}}]}
|
||||
query = {'$or': [
|
||||
{'telem_category': 'system_info',
|
||||
'$and': [{'data.credentials': {'$exists': True}},
|
||||
{'data.credentials': {'$gt': {}}}]}, # $gt: {} checks if field is not an empty object
|
||||
{'telem_category': 'exploit',
|
||||
'$and': [{'data.info.credentials': {'$exists': True}},
|
||||
{'data.info.credentials': {'$gt': {}}}]}
|
||||
]}
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
|
|
|
@ -188,7 +188,9 @@ class ReportService:
|
|||
{'data.credentials': 1, 'monkey_guid': 1}
|
||||
):
|
||||
monkey_creds = telem['data']['credentials']
|
||||
creds.append(ReportService._format_creds_for_reporting(telem, monkey_creds))
|
||||
formatted_creds = ReportService._format_creds_for_reporting(telem, monkey_creds)
|
||||
if formatted_creds:
|
||||
creds.extend(formatted_creds)
|
||||
|
||||
# stolen creds from exploiters
|
||||
for telem in mongo.db.telemetry.find(
|
||||
|
@ -196,7 +198,9 @@ class ReportService:
|
|||
{'data.info.credentials': 1, 'monkey_guid': 1}
|
||||
):
|
||||
monkey_creds = telem['data']['info']['credentials']
|
||||
creds.append(ReportService._format_creds_for_reporting(telem, monkey_creds))
|
||||
formatted_creds = ReportService._format_creds_for_reporting(telem, monkey_creds)
|
||||
if formatted_creds:
|
||||
creds.extend(formatted_creds)
|
||||
|
||||
logger.info('Stolen creds generated for reporting')
|
||||
return creds
|
||||
|
@ -206,7 +210,7 @@ class ReportService:
|
|||
creds = []
|
||||
PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'}
|
||||
if len(monkey_creds) == 0:
|
||||
continue
|
||||
return
|
||||
origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname']
|
||||
for user in monkey_creds:
|
||||
for pass_type in PASS_TYPE_DICT:
|
||||
|
|
|
@ -31,7 +31,6 @@ def process_exploit_telemetry(telemetry_json):
|
|||
def add_exploit_extracted_creds_to_config(telemetry_json):
|
||||
if 'credentials' in telemetry_json['data']['info']:
|
||||
creds = telemetry_json['data']['info']['credentials']
|
||||
add_system_info_creds_to_config(creds)
|
||||
|
||||
for user in creds:
|
||||
ConfigService.creds_add_username(creds[user]['username'])
|
||||
|
|
Loading…
Reference in New Issue