Add T1087 (account discovery)

This commit is contained in:
Shreya 2020-08-18 15:58:44 +05:30
parent 7e90609b98
commit 09f54bc72b
11 changed files with 117 additions and 3 deletions

View File

@ -6,3 +6,4 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories"
POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received" POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
POST_BREACH_SETUID_SETGID = "Setuid and Setgid" POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
POST_BREACH_JOB_SCHEDULING = "Schedule jobs" POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
POST_BREACH_ACCOUNT_DISCOVERY = "Account discovery"

View File

@ -0,0 +1,10 @@
from infection_monkey.post_breach.account_discovery.linux_account_discovery import \
get_linux_commands_to_discover_accounts
from infection_monkey.post_breach.account_discovery.windows_account_discovery import \
get_windows_commands_to_discover_accounts
def get_commands_to_discover_accounts():
linux_cmds = get_linux_commands_to_discover_accounts()
windows_cmds = get_windows_commands_to_discover_accounts()
return linux_cmds, windows_cmds

View File

@ -0,0 +1,7 @@
def get_linux_commands_to_discover_accounts():
return [
"echo \'Discovered the following user accounts:\'; ",
"cut -d: -f1,3 /etc/passwd | ",
"egrep ':[0-9]{4}$' | ",
"cut -d: -f1"
]

View File

@ -0,0 +1,4 @@
def get_windows_commands_to_discover_accounts():
return [
"net user"
]

View File

@ -0,0 +1,12 @@
from common.data.post_breach_consts import POST_BREACH_ACCOUNT_DISCOVERY
from infection_monkey.post_breach.pba import PBA
from infection_monkey.post_breach.account_discovery.account_discovery import \
get_commands_to_discover_accounts
class AccountDiscovery(PBA):
def __init__(self):
linux_cmds, windows_cmds = get_commands_to_discover_accounts()
super().__init__(POST_BREACH_ACCOUNT_DISCOVERY,
linux_cmd=' '.join(linux_cmds),
windows_cmd=' '.join(windows_cmds))

View File

@ -18,7 +18,8 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005,
T1158, T1166, T1158, T1166,
T1168, T1188, T1168, T1188,
T1197, T1210, T1197, T1210,
T1222, T1504) T1222, T1504,
T1087)
from monkey_island.cc.services.reporting.report_generation_synchronisation import \ from monkey_island.cc.services.reporting.report_generation_synchronisation import \
safe_generate_attack_report safe_generate_attack_report
@ -57,7 +58,8 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1154': T1154.T1154, 'T1154': T1154.T1154,
'T1166': T1166.T1166, 'T1166': T1166.T1166,
'T1168': T1168.T1168, 'T1168': T1168.T1168,
'T1053': T1053.T1053 'T1053': T1053.T1053,
'T1087': T1087.T1087
} }
REPORT_NAME = 'new_report' REPORT_NAME = 'new_report'

View File

@ -234,6 +234,16 @@ SCHEMA = {
"type": "object", "type": "object",
"link": "https://attack.mitre.org/tactics/TA0007/", "link": "https://attack.mitre.org/tactics/TA0007/",
"properties": { "properties": {
"T1087": {
"title": "Account Discovery",
"type": "bool",
"value": True,
"necessary": False,
"link": "https://attack.mitre.org/techniques/T1087",
"description": "Adversaries may attempt to get a listing of accounts on a system or "
"within an environment. This information can help adversaries determine which "
"accounts exist to aid in follow-on behavior."
},
"T1018": { "T1018": {
"title": "Remote System Discovery", "title": "Remote System Discovery",
"type": "bool", "type": "bool",

View File

@ -0,0 +1,13 @@
from common.data.post_breach_consts import POST_BREACH_ACCOUNT_DISCOVERY
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
__author__ = "shreyamalviya"
class T1087(PostBreachTechnique):
tech_id = "T1087"
unscanned_msg = "Monkey didn't try to get a listing of user accounts."
scanned_msg = "Monkey tried to get a listing of user accounts but failed to do so."
used_msg = "Monkey got a listing of user accounts successfully."
pba_names = [POST_BREACH_ACCOUNT_DISCOVERY]

View File

@ -70,6 +70,15 @@ POST_BREACH_ACTIONS = {
"title": "Job scheduling", "title": "Job scheduling",
"info": "Attempts to create a scheduled job on the system and remove it.", "info": "Attempts to create a scheduled job on the system and remove it.",
"attack_techniques": ["T1168", "T1053"] "attack_techniques": ["T1168", "T1053"]
},
{
"type": "string",
"enum": [
"AccountDiscovery"
],
"title": "Account Discovery",
"info": "Attempts to get a listing of user accounts on the system.",
"attack_techniques": ["T1087"]
} }
] ]
} }

View File

@ -67,7 +67,8 @@ MONKEY = {
"HiddenFiles", "HiddenFiles",
"TrapCommand", "TrapCommand",
"ChangeSetuidSetgid", "ChangeSetuidSetgid",
"ScheduleJobs" "ScheduleJobs",
"AccountDiscovery"
] ]
}, },
} }

View File

@ -0,0 +1,45 @@
import React from 'react';
import ReactTable from 'react-table';
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
import MitigationsComponent from './MitigationsComponent';
class T1087 extends React.Component {
constructor(props) {
super(props);
}
static getColumns() {
return ([{
columns: [
{ Header: 'Machine',
id: 'machine',
accessor: x => renderMachineFromSystemData(x.machine),
style: {'whiteSpace': 'unset'}},
{ Header: 'Result',
id: 'result',
accessor: x => x.result,
style: {'whiteSpace': 'unset'}}
]
}])
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === ScanStatus.USED ?
<ReactTable
columns={T1087.getColumns()}
data={this.props.data.info}
showPagination={false}
defaultPageSize={this.props.data.info.length}
/> : ''}
<MitigationsComponent mitigations={this.props.data.mitigations}/>
</div>
);
}
}
export default T1087;