forked from p15670423/monkey
Still need to test linux
This commit is contained in:
Shay Nehmad
parent
c371bf8ac5
commit
3469ec6996
|
|
@ -4,7 +4,6 @@ import random
|
||||||
import string
|
import string
|
||||||
import subprocess
|
import subprocess
|
||||||
|
|
||||||
import win32api
|
|
||||||
import win32con
|
import win32con
|
||||||
import win32process
|
import win32process
|
||||||
import win32security
|
import win32security
|
||||||
|
|
@ -15,6 +14,9 @@ from infection_monkey.post_breach.pba import PBA
|
||||||
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
|
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
|
||||||
from infection_monkey.utils import is_windows_os
|
from infection_monkey.utils import is_windows_os
|
||||||
|
|
||||||
|
CREATED_PROCESS_AS_USER_WINDOWS_FORMAT = "Created process '{}' as user '{}'."
|
||||||
|
CREATED_PROCESS_AS_USER_LINUX_FORMAT = "Created process '{}' as user '{}'. Some of the output was '{}'."
|
||||||
|
|
||||||
USERNAME = "somenewuser"
|
USERNAME = "somenewuser"
|
||||||
PASSWORD = "N3WPa55W0rD!1"
|
PASSWORD = "N3WPa55W0rD!1"
|
||||||
|
|
||||||
|
|
@ -60,12 +62,11 @@ class CommunicateAsNewUser(PBA):
|
||||||
try:
|
try:
|
||||||
# Open process as that user:
|
# Open process as that user:
|
||||||
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
|
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
|
||||||
return_value_create_process = win32process.CreateProcessAsUser(
|
commandline = "{} {}".format(ping_app_path, "google.com")
|
||||||
|
_ = win32process.CreateProcessAsUser(
|
||||||
new_user_logon_token_handle, # A handle to the primary token that represents a user.
|
new_user_logon_token_handle, # A handle to the primary token that represents a user.
|
||||||
# If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module
|
None, # The name of the module to be executed.
|
||||||
# to execute, and *lpCommandLine specifies the command line.
|
commandline, # The command line to be executed.
|
||||||
ping_app_path, # The name of the module to be executed.
|
|
||||||
"google.com", # The command line to be executed.
|
|
||||||
None, # Process attributes
|
None, # Process attributes
|
||||||
None, # Thread attributes
|
None, # Thread attributes
|
||||||
True, # Should inherit handles
|
True, # Should inherit handles
|
||||||
|
|
@ -77,18 +78,27 @@ class CommunicateAsNewUser(PBA):
|
||||||
win32process.STARTUPINFO() # STARTUPINFO structure.
|
win32process.STARTUPINFO() # STARTUPINFO structure.
|
||||||
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
|
# https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
|
||||||
)
|
)
|
||||||
|
|
||||||
|
PostBreachTelem(self, (
|
||||||
|
CREATED_PROCESS_AS_USER_WINDOWS_FORMAT.format(commandline, username), True)).send()
|
||||||
|
return
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
# TODO: if failed on 1314, try to add elevate the rights of the current user with the "Replace a
|
# TODO: if failed on 1314, we can try to add elevate the rights of the current user with the "Replace a
|
||||||
# process level token" right, using Local Security Policy editing (need to find how to do this using
|
# process level token" right, using Local Security Policy editing. Worked, but only after reboot. So:
|
||||||
# python...
|
# 1. need to decide if worth it, and then
|
||||||
|
# 2. need to find how to do this using python...
|
||||||
PostBreachTelem(self, (
|
PostBreachTelem(self, (
|
||||||
"Failed to open process as user {}. Error: {}".format(username, str(e)), False)).send()
|
"Failed to open process as user {}. Error: {}".format(username, str(e)), False)).send()
|
||||||
return
|
return
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
linux_cmds = BackdoorUser.get_linux_commands_to_add_user(username)
|
linux_cmds = BackdoorUser.get_linux_commands_to_add_user(username)
|
||||||
linux_cmds.extend([";", "sudo", "-", username, "-c", "'ping -c 2 google.com'"])
|
commandline = "'ping -c 2 google.com'"
|
||||||
subprocess.check_output(linux_cmds, stderr=subprocess.STDOUT, shell=True)
|
linux_cmds.extend([";", "sudo", "-", username, "-c", commandline])
|
||||||
|
output = subprocess.check_output(linux_cmds, stderr=subprocess.STDOUT, shell=True)
|
||||||
|
PostBreachTelem(self, (
|
||||||
|
CREATED_PROCESS_AS_USER_LINUX_FORMAT.format(commandline, username, output[:50]), True)).send()
|
||||||
|
return
|
||||||
except subprocess.CalledProcessError as e:
|
except subprocess.CalledProcessError as e:
|
||||||
PostBreachTelem(self, (e.output, False)).send()
|
PostBreachTelem(self, (e.output, False)).send()
|
||||||
return
|
return
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,9 @@ class PostBreach(object):
|
||||||
if ((m[1].__module__ == module.__name__) and issubclass(m[1], PBA))]
|
if ((m[1].__module__ == module.__name__) and issubclass(m[1], PBA))]
|
||||||
# Get post breach action object from class
|
# Get post breach action object from class
|
||||||
for pba_class in pba_classes:
|
for pba_class in pba_classes:
|
||||||
|
LOG.debug("Checking if should run PBA {}".format(pba_class.__name__))
|
||||||
if pba_class.should_run(pba_class.__name__):
|
if pba_class.should_run(pba_class.__name__):
|
||||||
pba = pba_class()
|
pba = pba_class()
|
||||||
pba_list.append(pba)
|
pba_list.append(pba)
|
||||||
|
LOG.debug("Added PBA {} to PBA list".format(pba_class.__name__))
|
||||||
return pba_list
|
return pba_list
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue