From 155da384c275aa6057ad1b661cacd5c58af51ba9 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 28 Jan 2021 08:14:18 -0500 Subject: [PATCH] ui: replace "(UNSAFE)" text with warning icon --- .../definitions/exploiter_classes.py | 15 ++++++++++++++- .../config_schema/definitions/finger_classes.py | 8 ++++++++ .../definitions/post_breach_actions.py | 11 +++++++++++ .../definitions/system_info_collector_classes.py | 6 ++++++ .../ui-components/AdvancedMultiSelect.js | 7 ++++++- .../src/components/ui-components/ChildCheckbox.js | 13 ++++++++++--- .../cc/ui/src/styles/pages/ConfigurationPage.scss | 7 +++++++ 7 files changed, 62 insertions(+), 5 deletions(-) diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py index 0a5e671a3..25158d73a 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -12,6 +12,7 @@ EXPLOITER_CLASSES = { "SmbExploiter" ], "title": "SMB Exploiter", + "safe": True, "attack_techniques": ["T1110", "T1075", "T1035"], "info": "Brute forces using credentials provided by user and" " hashes gathered by mimikatz.", @@ -23,6 +24,7 @@ EXPLOITER_CLASSES = { "WmiExploiter" ], "title": "WMI Exploiter", + "safe": True, "attack_techniques": ["T1110", "T1106"], "info": "Brute forces WMI (Windows Management Instrumentation) " "using credentials provided by user and hashes gathered by mimikatz.", @@ -34,6 +36,7 @@ EXPLOITER_CLASSES = { "MSSQLExploiter" ], "title": "MSSQL Exploiter", + "safe": True, "attack_techniques": ["T1110"], "info": "Tries to brute force into MsSQL server and uses insecure " "configuration to execute commands on server.", @@ -44,7 +47,8 @@ EXPLOITER_CLASSES = { "enum": [ "Ms08_067_Exploiter" ], - "title": "MS08-067 Exploiter (UNSAFE)", + "title": "MS08-067 Exploiter", + "safe": False, "info": "Unsafe exploiter, that might cause system crash due to the use of buffer overflow. " "Uses MS08-067 vulnerability.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/ms08-067/" @@ -55,6 +59,7 @@ EXPLOITER_CLASSES = { "SSHExploiter" ], "title": "SSH Exploiter", + "safe": True, "attack_techniques": ["T1110", "T1145", "T1106"], "info": "Brute forces using credentials provided by user and SSH keys gathered from systems.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/sshexec/" @@ -65,6 +70,7 @@ EXPLOITER_CLASSES = { "ShellShockExploiter" ], "title": "ShellShock Exploiter", + "safe": True, "info": "CVE-2014-6271, based on logic from " "https://github.com/nccgroup/shocker/blob/master/shocker.py .", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/shellshock/" @@ -75,6 +81,7 @@ EXPLOITER_CLASSES = { "SambaCryExploiter" ], "title": "SambaCry Exploiter", + "safe": True, "info": "Bruteforces and searches for anonymous shares. Uses Impacket.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/sambacry/" }, @@ -84,6 +91,7 @@ EXPLOITER_CLASSES = { "ElasticGroovyExploiter" ], "title": "ElasticGroovy Exploiter", + "safe": True, "info": "CVE-2015-1427. Logic is based on Metasploit module.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/elasticgroovy/" }, @@ -93,6 +101,7 @@ EXPLOITER_CLASSES = { "Struts2Exploiter" ], "title": "Struts2 Exploiter", + "safe": True, "info": "Exploits struts2 java web framework. CVE-2017-5638. Logic based on " "https://www.exploit-db.com/exploits/41570 .", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/struts2/" @@ -103,6 +112,7 @@ EXPLOITER_CLASSES = { "WebLogicExploiter" ], "title": "WebLogic Exploiter", + "safe": True, "info": "Exploits CVE-2017-10271 and CVE-2019-2725 vulnerabilities on WebLogic server.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/weblogic/" }, @@ -112,6 +122,7 @@ EXPLOITER_CLASSES = { "HadoopExploiter" ], "title": "Hadoop/Yarn Exploiter", + "safe": True, "info": "Remote code execution on HADOOP server with YARN and default settings. " "Logic based on https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/hadoop/" @@ -122,6 +133,7 @@ EXPLOITER_CLASSES = { "VSFTPDExploiter" ], "title": "VSFTPD Exploiter", + "safe": True, "info": "Exploits a malicious backdoor that was added to the VSFTPD download archive. " "Logic based on Metasploit module.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/vsftpd/" @@ -132,6 +144,7 @@ EXPLOITER_CLASSES = { "DrupalExploiter" ], "title": "Drupal Exploiter", + "safe": True, "info": "Exploits a remote command execution vulnerability in a Drupal server," "for which certain modules (such as RESTful Web Services) are enabled.", "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/drupal/" diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py index 405983dc5..5e3f75f33 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py @@ -10,6 +10,7 @@ FINGER_CLASSES = { "SMBFinger" ], "title": "SMBFinger", + "safe": True, "info": "Figures out if SMB is running and what's the version of it.", "attack_techniques": ["T1210"] }, @@ -19,6 +20,7 @@ FINGER_CLASSES = { "SSHFinger" ], "title": "SSHFinger", + "safe": True, "info": "Figures out if SSH is running.", "attack_techniques": ["T1210"] }, @@ -28,6 +30,7 @@ FINGER_CLASSES = { "PingScanner" ], "title": "PingScanner", + "safe": True, "info": "Tries to identify if host is alive and which OS it's running by ping scan." }, { @@ -36,6 +39,7 @@ FINGER_CLASSES = { "HTTPFinger" ], "title": "HTTPFinger", + "safe": True, "info": "Checks if host has HTTP/HTTPS ports open." }, { @@ -44,6 +48,7 @@ FINGER_CLASSES = { "MySQLFinger" ], "title": "MySQLFinger", + "safe": True, "info": "Checks if MySQL server is running and tries to get it's version.", "attack_techniques": ["T1210"] }, @@ -53,6 +58,7 @@ FINGER_CLASSES = { "MSSQLFinger" ], "title": "MSSQLFinger", + "safe": True, "info": "Checks if Microsoft SQL service is running and tries to gather information about it.", "attack_techniques": ["T1210"] }, @@ -62,6 +68,7 @@ FINGER_CLASSES = { "ElasticFinger" ], "title": "ElasticFinger", + "safe": True, "info": "Checks if ElasticSearch is running and attempts to find it's version.", "attack_techniques": ["T1210"] }, @@ -71,6 +78,7 @@ FINGER_CLASSES = { "WindowsServerFinger" ], "title": "WindowsServerFinger", + "safe": True, "info": "Checks if server is a Windows Server and tests if it is vulnerable to Zerologon.", "attack_techniques": ["T1210"] } diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py index f1fe0f6f2..16dc0735e 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py @@ -10,6 +10,7 @@ POST_BREACH_ACTIONS = { "BackdoorUser" ], "title": "Back door user", + "safe": True, "info": "Attempts to create a new user on the system and delete it afterwards.", "attack_techniques": ["T1136"] }, @@ -19,6 +20,7 @@ POST_BREACH_ACTIONS = { "CommunicateAsNewUser" ], "title": "Communicate as new user", + "safe": True, "info": "Attempts to create a new user, create HTTPS requests as that user and delete the user " "afterwards.", "attack_techniques": ["T1136"] @@ -29,6 +31,7 @@ POST_BREACH_ACTIONS = { "ModifyShellStartupFiles" ], "title": "Modify shell startup files", + "safe": True, "info": "Attempts to modify shell startup files, like ~/.profile, ~/.bashrc, ~/.bash_profile " "in linux, and profile.ps1 in windows. Reverts modifications done afterwards.", "attack_techniques": ["T1156", "T1504"] @@ -39,6 +42,7 @@ POST_BREACH_ACTIONS = { "HiddenFiles" ], "title": "Hidden files and directories", + "safe": True, "info": "Attempts to create a hidden file and remove it afterward.", "attack_techniques": ["T1158"] }, @@ -48,6 +52,7 @@ POST_BREACH_ACTIONS = { "TrapCommand" ], "title": "Trap", + "safe": True, "info": "On Linux systems, attempts to trap an interrupt signal in order to execute a command " "upon receiving that signal. Removes the trap afterwards.", "attack_techniques": ["T1154"] @@ -58,6 +63,7 @@ POST_BREACH_ACTIONS = { "ChangeSetuidSetgid" ], "title": "Setuid and Setgid", + "safe": True, "info": "On Linux systems, attempts to set the setuid and setgid bits of a new file. " "Removes the file afterwards.", "attack_techniques": ["T1166"] @@ -68,6 +74,7 @@ POST_BREACH_ACTIONS = { "ScheduleJobs" ], "title": "Job scheduling", + "safe": True, "info": "Attempts to create a scheduled job on the system and remove it.", "attack_techniques": ["T1168", "T1053"] }, @@ -77,6 +84,7 @@ POST_BREACH_ACTIONS = { "Timestomping" ], "title": "Timestomping", + "safe": True, "info": "Creates a temporary file and attempts to modify its time attributes. Removes the file afterwards.", "attack_techniques": ["T1099"] }, @@ -86,6 +94,7 @@ POST_BREACH_ACTIONS = { "SignedScriptProxyExecution" ], "title": "Signed script proxy execution", + "safe": False, "info": "On Windows systems, attemps to execute an arbitrary file " "with the help of a pre-existing signed script.", "attack_techniques": ["T1216"] @@ -96,6 +105,7 @@ POST_BREACH_ACTIONS = { "AccountDiscovery" ], "title": "Account Discovery", + "safe": True, "info": "Attempts to get a listing of user accounts on the system.", "attack_techniques": ["T1087"] }, @@ -105,6 +115,7 @@ POST_BREACH_ACTIONS = { "ClearCommandHistory" ], "title": "Clear command history", + "safe": False, "info": "Attempts to clear the command history.", "attack_techniques": ["T1146"] } diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py index 5f113f4a7..174133f43 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py @@ -16,6 +16,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = { ENVIRONMENT_COLLECTOR ], "title": "Environment collector", + "safe": True, "info": "Collects information about machine's environment (on premise/GCP/AWS).", "attack_techniques": ["T1082"] }, @@ -25,6 +26,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = { MIMIKATZ_COLLECTOR ], "title": "Mimikatz collector", + "safe": True, "info": "Collects credentials from Windows credential manager.", "attack_techniques": ["T1003", "T1005"] }, @@ -34,6 +36,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = { AWS_COLLECTOR ], "title": "AWS collector", + "safe": True, "info": "If on AWS, collects more information about the AWS instance currently running on.", "attack_techniques": ["T1082"] }, @@ -43,6 +46,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = { HOSTNAME_COLLECTOR ], "title": "Hostname collector", + "safe": True, "info": "Collects machine's hostname.", "attack_techniques": ["T1082", "T1016"] }, @@ -52,6 +56,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = { PROCESS_LIST_COLLECTOR ], "title": "Process list collector", + "safe": True, "info": "Collects a list of running processes on the machine.", "attack_techniques": ["T1082"] }, @@ -61,6 +66,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = { AZURE_CRED_COLLECTOR ], "title": "Azure credential collector", + "safe": True, "info": "Collects password credentials from Azure VMs", "attack_techniques": ["T1003", "T1005"] } diff --git a/monkey/monkey_island/cc/ui/src/components/ui-components/AdvancedMultiSelect.js b/monkey/monkey_island/cc/ui/src/components/ui-components/AdvancedMultiSelect.js index bab944093..b92ff3f1a 100644 --- a/monkey/monkey_island/cc/ui/src/components/ui-components/AdvancedMultiSelect.js +++ b/monkey/monkey_island/cc/ui/src/components/ui-components/AdvancedMultiSelect.js @@ -123,6 +123,10 @@ class AdvancedMultiSelect extends React.Component { })); } + isSafe(itemKey) { + return getFullDefinitionByKey(this.infoPaneRefString, this.registry, itemKey).safe; + } + render() { const { schema, @@ -149,7 +153,8 @@ class AdvancedMultiSelect extends React.Component { return ( + disabled={disabled} label={label} checkboxState={this.props.value.includes(value)} + safe={this.isSafe(value)}/> ); } )} diff --git a/monkey/monkey_island/cc/ui/src/components/ui-components/ChildCheckbox.js b/monkey/monkey_island/cc/ui/src/components/ui-components/ChildCheckbox.js index 4ce11295e..1cd3caa8c 100644 --- a/monkey/monkey_island/cc/ui/src/components/ui-components/ChildCheckbox.js +++ b/monkey/monkey_island/cc/ui/src/components/ui-components/ChildCheckbox.js @@ -2,7 +2,7 @@ import React from 'react'; import {Button, Form} from 'react-bootstrap'; import {FontAwesomeIcon} from '@fortawesome/react-fontawesome'; -import {faCheckSquare} from '@fortawesome/free-solid-svg-icons'; +import {faCheckSquare, faExclamationTriangle} from '@fortawesome/free-solid-svg-icons'; import {faSquare} from '@fortawesome/free-regular-svg-icons'; function ChildCheckbox(props) { @@ -12,15 +12,22 @@ function ChildCheckbox(props) { value, disabled, label, - checkboxState + checkboxState, + safe } = props; + let displayLabel = [{label}]; + + if (!safe) { + displayLabel.push() + } + return ( onPaneClick(value)}> - {label} + {displayLabel} ); } diff --git a/monkey/monkey_island/cc/ui/src/styles/pages/ConfigurationPage.scss b/monkey/monkey_island/cc/ui/src/styles/pages/ConfigurationPage.scss index e5c6c08bc..435047845 100644 --- a/monkey/monkey_island/cc/ui/src/styles/pages/ConfigurationPage.scss +++ b/monkey/monkey_island/cc/ui/src/styles/pages/ConfigurationPage.scss @@ -57,3 +57,10 @@ white-space: pre-wrap; } +.unsafe-indicator { + text-transform: uppercase; + color: #ffc107; + font-weight: 900; + margin-left: .75em; + margin-right: .75em; +}