Merge pull request #381 from VakarisZ/attack_file_perm_mod
T1222 File permissions modification
This commit is contained in:
commit
d4c18eb07a
|
@ -6,11 +6,13 @@ from random import choice
|
|||
|
||||
import requests
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.exploit import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
|
||||
from infection_monkey.model import DROPPER_ARG
|
||||
from infection_monkey.exploit.shellshock_resources import CGI_FILES
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
|
||||
__author__ = 'danielg'
|
||||
|
||||
|
@ -131,6 +133,7 @@ class ShellShockExploiter(HostExploiter):
|
|||
chmod = '/bin/chmod +x %s' % dropper_target_path_linux
|
||||
run_path = exploit + chmod
|
||||
self.attack_page(url, header, run_path)
|
||||
T1222Telem(ScanStatus.USED, chmod, self.host).send()
|
||||
|
||||
# run the monkey
|
||||
cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG)
|
||||
|
|
|
@ -14,6 +14,7 @@ from infection_monkey.network.tools import check_tcp_port
|
|||
from common.utils.exploit_enum import ExploitType
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
|
||||
__author__ = 'hoffer'
|
||||
|
||||
|
@ -166,6 +167,7 @@ class SSHExploiter(HostExploiter):
|
|||
callback=self.log_transfer)
|
||||
ftp.chmod(self._config.dropper_target_path_linux, 0o777)
|
||||
status = ScanStatus.USED
|
||||
T1222Telem(ScanStatus.USED, "chmod 0777 %s" % self._config.dropper_target_path_linux, self.host).send()
|
||||
ftp.close()
|
||||
except Exception as exc:
|
||||
LOG.debug("Error uploading file into victim %r: (%s)", self.host, exc)
|
||||
|
|
|
@ -6,12 +6,16 @@
|
|||
|
||||
import socket
|
||||
import time
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.exploit import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import get_target_monkey, build_monkey_commandline, get_monkey_depth
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.model import MONKEY_ARG, CHMOD_MONKEY, RUN_MONKEY, WGET_HTTP_UPLOAD, DOWNLOAD_TIMEOUT
|
||||
from logging import getLogger
|
||||
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
|
||||
LOG = getLogger(__name__)
|
||||
|
||||
__author__ = 'D3fa1t'
|
||||
|
@ -125,6 +129,7 @@ class VSFTPDExploiter(HostExploiter):
|
|||
change_permission = str.encode(str(change_permission) + '\n')
|
||||
LOG.info("change_permission command is %s", change_permission)
|
||||
backdoor_socket.send(change_permission)
|
||||
T1222Telem(ScanStatus.USED, change_permission, self.host).send()
|
||||
|
||||
# Run monkey on the machine
|
||||
parameters = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
|
|
|
@ -10,6 +10,7 @@ from infection_monkey.exploit.tools.http_tools import HTTPTools
|
|||
from infection_monkey.network.tools import check_tcp_port, tcp_port_to_service
|
||||
from infection_monkey.telemetry.attack.t1197_telem import T1197Telem
|
||||
from common.utils.attack_utils import ScanStatus, BITS_UPLOAD_STRING
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
|
||||
__author__ = 'VakarisZ'
|
||||
|
||||
|
@ -367,8 +368,10 @@ class WebRCE(HostExploiter):
|
|||
command = CHMOD_MONKEY % {'monkey_path': path}
|
||||
try:
|
||||
resp = self.exploit(url, command)
|
||||
T1222Telem(ScanStatus.USED, command, self.host).send()
|
||||
except Exception as e:
|
||||
LOG.error("Something went wrong while trying to change permission: %s" % e)
|
||||
T1222Telem(ScanStatus.SCANNED, "", self.host).send()
|
||||
return False
|
||||
# If exploiter returns True / False
|
||||
if type(resp) is bool:
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
from infection_monkey.telemetry.attack.victim_host_telem import VictimHostTelem
|
||||
|
||||
|
||||
class T1222Telem(VictimHostTelem):
|
||||
def __init__(self, status, command, machine):
|
||||
"""
|
||||
T1222 telemetry.
|
||||
:param status: ScanStatus of technique
|
||||
:param command: command used to change permissions
|
||||
:param machine: VictimHost type object
|
||||
"""
|
||||
super(T1222Telem, self).__init__('T1222', status, machine)
|
||||
self.command = command
|
||||
|
||||
def get_data(self):
|
||||
data = super(T1222Telem, self).get_data()
|
||||
data.update({
|
||||
'command': self.command
|
||||
})
|
||||
return data
|
|
@ -1,8 +1,9 @@
|
|||
import logging
|
||||
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
|
||||
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041
|
||||
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222
|
||||
from monkey_island.cc.services.attack.attack_config import AttackConfig
|
||||
from monkey_island.cc.database import mongo
|
||||
|
||||
|
@ -28,7 +29,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1107': T1107.T1107,
|
||||
'T1188': T1188.T1188,
|
||||
'T1090': T1090.T1090,
|
||||
'T1041': T1041.T1041}
|
||||
'T1041': T1041.T1041,
|
||||
'T1222': T1222.T1222}
|
||||
|
||||
REPORT_NAME = 'new_report'
|
||||
|
||||
|
|
|
@ -108,6 +108,13 @@ SCHEMA = {
|
|||
"description": "Adversaries may remove files over the course of an intrusion "
|
||||
"to keep their footprint low or remove them at the end as part "
|
||||
"of the post-intrusion cleanup process."
|
||||
},
|
||||
"T1222": {
|
||||
"title": "T1222 File permissions modification",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": True,
|
||||
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
from common.utils.attack_utils import ScanStatus
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.attack.technique_reports import AttackTechnique
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
||||
class T1222(AttackTechnique):
|
||||
tech_id = "T1222"
|
||||
unscanned_msg = "Monkey didn't try to change any file permissions."
|
||||
scanned_msg = "Monkey tried to change file permissions, but failed."
|
||||
used_msg = "Monkey successfully changed file permissions in network systems."
|
||||
|
||||
query = [{'$match': {'telem_category': 'attack',
|
||||
'data.technique': 'T1222',
|
||||
'data.status': ScanStatus.USED.value}},
|
||||
{'$group': {'_id': {'machine': '$data.machine', 'status': '$data.status', 'command': '$data.command'}}},
|
||||
{"$replaceRoot": {"newRoot": "$_id"}}]
|
||||
|
||||
@staticmethod
|
||||
def get_report_data():
|
||||
data = T1222.get_tech_base_data()
|
||||
data.update({'commands': list(mongo.db.telemetry.aggregate(T1222.query))})
|
||||
return data
|
|
@ -0,0 +1,39 @@
|
|||
import React from 'react';
|
||||
import '../../../styles/Collapse.scss'
|
||||
import ReactTable from "react-table";
|
||||
import { renderMachine, scanStatus } from "./Helpers"
|
||||
|
||||
|
||||
class T1222 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getCommandColumns() {
|
||||
return ([{
|
||||
Header: "Permission modification commands",
|
||||
columns: [
|
||||
{Header: 'Machine', id: 'machine', accessor: x => renderMachine(x.machine), style: { 'whiteSpace': 'unset' }},
|
||||
{Header: 'Command', id: 'command', accessor: x => x.command, style: { 'whiteSpace': 'unset' }},
|
||||
]
|
||||
}])};
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === scanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1222.getCommandColumns()}
|
||||
data={this.props.data.commands}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.commands.length}
|
||||
/> : ""}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1222;
|
|
@ -24,6 +24,7 @@ import T1106 from "../attack/techniques/T1106";
|
|||
import T1188 from "../attack/techniques/T1188";
|
||||
import T1090 from "../attack/techniques/T1090";
|
||||
import T1041 from "../attack/techniques/T1041";
|
||||
import T1222 from "../attack/techniques/T1222";
|
||||
|
||||
const tech_components = {
|
||||
'T1210': T1210,
|
||||
|
@ -43,7 +44,8 @@ const tech_components = {
|
|||
'T1107': T1107,
|
||||
'T1188': T1188,
|
||||
'T1090': T1090,
|
||||
'T1041': T1041
|
||||
'T1041': T1041,
|
||||
'T1222': T1222
|
||||
};
|
||||
|
||||
const classNames = require('classnames');
|
||||
|
|
Loading…
Reference in New Issue