p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Implemented scripting attack technique

This commit is contained in:
VakarisZ 2019-07-22 12:13:54 +03:00
parent 38978516db
commit fe6a653f79
8 changed files with 80 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
monkey/infection_monkey/post_breach/pba.py
View File

@ -1,10 +1,11 @@
import logging
import subprocess
import socket
from infection_monkey.control import ControlClient
from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
from infection_monkey.utils import is_windows_os
from infection_monkey.config import WormConfiguration
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
LOG = logging.getLogger(__name__)
@ -46,6 +47,8 @@ class PBA(object):
"""
exec_funct = self._execute_default
result = exec_funct()
if result[1] and isinstance(self.command, list) and len(self.command) > 1:
T1064Telem(ScanStatus.USED, "Scripts used to execute %s post breach action." % self.name).send()
PostBreachTelem(self, result).send()
def _execute_default(self):

3
monkey/infection_monkey/system_info/azure_cred_collector.py
View File

@ -7,6 +7,7 @@ import subprocess
from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
__author__ = 'danielg'
@ -58,6 +59,7 @@ class AzureCollector(object):
decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
decrypt_data = json.loads(decrypt_raw)
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
T1064Telem(ScanStatus.USED, 'Bash scripts used to extract azure credentials.').send()
return decrypt_data['username'], decrypt_data['password']
except IOError:
LOG.warning("Failed to parse VM Access plugin file. Could not open file")
@ -97,6 +99,7 @@ class AzureCollector(object):
password_raw = ps_out.split('\n')[-2].split(">")[1].split("$utf8content")[1]
password = json.loads(password_raw)["Password"]
T1005Telem(ScanStatus.USED, 'Azure credentials', "Path: %s" % filepath).send()
T1064Telem(ScanStatus.USED, 'Powershell scripts used to extract azure credentials.').send()
return username, password
except IOError:
LOG.warning("Failed to parse VM Access plugin file. Could not open file")

11
monkey/infection_monkey/telemetry/attack/t1064_telem.py Normal file
View File

@ -0,0 +1,11 @@
from infection_monkey.telemetry.attack.usage_telem import UsageTelem
class T1064Telem(UsageTelem):
def __init__(self, status, usage):
"""
T1064 telemetry.
:param status: ScanStatus of technique
:param usage: Usage string
"""
super(T1064Telem, self).__init__('T1064', status, usage)

6
monkey/monkey_island/cc/services/attack/attack_report.py
View File

@ -3,7 +3,7 @@ import logging
from monkey_island.cc.models import Monkey
from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021
from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
from monkey_island.cc.services.attack.attack_config import AttackConfig
from monkey_island.cc.database import mongo
@ -34,7 +34,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1005': T1005.T1005,
'T1018': T1018.T1018,
'T1016': T1016.T1016,
'T1021': T1021.T1021}
'T1021': T1021.T1021,
'T1064': T1064.T1064
}
REPORT_NAME = 'new_report'

8
monkey/monkey_island/cc/services/attack/attack_schema.py
View File

@ -173,6 +173,14 @@ SCHEMA = {
"necessary": True,
"description": "Adversaries can use PowerShell to perform a number of actions,"
" including discovery of information and execution of code.",
},
"T1064": {
"title": "T1064 Scripting",
"type": "bool",
"value": True,
"necessary": True,
"description": "Adversaries may use scripts to aid in operations and "
"perform multiple actions that would otherwise be manual.",
}
}
},

16
monkey/monkey_island/cc/services/attack/technique_reports/T1064.py Normal file
View File

@ -0,0 +1,16 @@
from monkey_island.cc.services.attack.technique_reports import UsageTechnique
__author__ = "VakarisZ"
class T1064(UsageTechnique):
tech_id = "T1064"
unscanned_msg = "Monkey didn't run scripts."
scanned_msg = ""
used_msg = "Monkey ran scripts on machines in the network."
@staticmethod
def get_report_data():
data = T1064.get_tech_base_data()
data.update({'scripts': T1064.get_usage_data()})
return data

30
monkey/monkey_island/cc/ui/src/components/attack/techniques/T1064.js Normal file
View File

@ -0,0 +1,30 @@
import React from 'react';
import '../../../styles/Collapse.scss'
import ReactTable from "react-table";
import { getUsageColumns } from "./Helpers"
class T1064 extends React.Component {
constructor(props) {
super(props);
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.scripts.length !== 0 ?
<ReactTable
columns={getUsageColumns()}
data={this.props.data.scripts}
showPagination={false}
defaultPageSize={this.props.data.scripts.length}
/> : ""}
</div>
);
}
}
export default T1064;

4
monkey/monkey_island/cc/ui/src/components/report-components/AttackReport.js
View File

@ -29,6 +29,7 @@ import T1005 from "../attack/techniques/T1005";
import T1018 from "../attack/techniques/T1018";
import T1016 from "../attack/techniques/T1016";
import T1021 from "../attack/techniques/T1021";
import T1064 from "../attack/techniques/T1064";
const tech_components = {
'T1210': T1210,
@ -53,7 +54,8 @@ const tech_components = {
'T1005': T1005,
'T1018': T1018,
'T1016': T1016,
'T1021': T1021
'T1021': T1021,
'T1064': T1064
};
const classNames = require('classnames');