From 196f814860d4802b2214de5f720805e52a617ccc Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 25 Mar 2022 12:54:03 +0530 Subject: [PATCH 1/2] Agent: Remove PBA's dependency on Plugin --- monkey/infection_monkey/post_breach/pba.py | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/monkey/infection_monkey/post_breach/pba.py b/monkey/infection_monkey/post_breach/pba.py index b9f72697f..1ee4c3cdc 100644 --- a/monkey/infection_monkey/post_breach/pba.py +++ b/monkey/infection_monkey/post_breach/pba.py @@ -1,31 +1,20 @@ import logging import subprocess -import infection_monkey.post_breach.actions from common.utils.attack_utils import ScanStatus -from infection_monkey.config import WormConfiguration from infection_monkey.telemetry.attack.t1064_telem import T1064Telem from infection_monkey.telemetry.post_breach_telem import PostBreachTelem from infection_monkey.utils.environment import is_windows_os -from infection_monkey.utils.plugins.plugin import Plugin logger = logging.getLogger(__name__) -class PBA(Plugin): +class PBA: """ Post breach action object. Can be extended to support more than command execution on target machine. """ - @staticmethod - def base_package_name(): - return infection_monkey.post_breach.actions.__package__ - - @staticmethod - def base_package_file(): - return infection_monkey.post_breach.actions.__file__ - def __init__(self, name="unknown", linux_cmd="", windows_cmd=""): """ :param name: Name of post breach action. @@ -35,14 +24,6 @@ class PBA(Plugin): self.command = PBA.choose_command(linux_cmd, windows_cmd) self.name = name - @staticmethod - def should_run(class_name): - """ - Decides if post breach action is enabled in config - :return: True if it needs to be ran, false otherwise - """ - return class_name in WormConfiguration.post_breach_actions - def run(self): """ Runs post breach action command From dda922d06f9a18e7463f5ea8642e680132b365f3 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Fri, 25 Mar 2022 13:09:10 +0530 Subject: [PATCH 2/2] Agent: Add display_name to PostBreachData --- monkey/infection_monkey/i_puppet/i_puppet.py | 2 +- monkey/infection_monkey/master/automated_master.py | 7 ++----- monkey/infection_monkey/master/mock_master.py | 8 ++++---- monkey/infection_monkey/puppet/mock_puppet.py | 4 ++-- 4 files changed, 9 insertions(+), 12 deletions(-) diff --git a/monkey/infection_monkey/i_puppet/i_puppet.py b/monkey/infection_monkey/i_puppet/i_puppet.py index d68e42049..f45048c06 100644 --- a/monkey/infection_monkey/i_puppet/i_puppet.py +++ b/monkey/infection_monkey/i_puppet/i_puppet.py @@ -34,7 +34,7 @@ class ExploiterResultData: PingScanData = namedtuple("PingScanData", ["response_received", "os"]) PortScanData = namedtuple("PortScanData", ["port", "status", "banner", "service"]) FingerprintData = namedtuple("FingerprintData", ["os_type", "os_version", "services"]) -PostBreachData = namedtuple("PostBreachData", ["command", "result"]) +PostBreachData = namedtuple("PostBreachData", ["display_name", "command", "result"]) class IPuppet(metaclass=abc.ABCMeta): diff --git a/monkey/infection_monkey/master/automated_master.py b/monkey/infection_monkey/master/automated_master.py index f6f902a77..251240947 100644 --- a/monkey/infection_monkey/master/automated_master.py +++ b/monkey/infection_monkey/master/automated_master.py @@ -195,14 +195,11 @@ class AutomatedMaster(IMaster): logger.debug(f"No credentials were collected by {collector}") def _run_pba(self, pba: Tuple[str, Dict]): - # TODO: This is the class's name right now. We need `display_name` (see the - # ProcessListCollection PBA). This is shown in the Security report as the PBA - # name and is checked against in the T1082's mongo query in the ATT&CK report. name = pba[0] options = pba[1] - command, result = self._puppet.run_pba(name, options) - self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result)) + display_name, command, result = self._puppet.run_pba(name, options) + self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result)) def _can_propagate(self) -> bool: return True diff --git a/monkey/infection_monkey/master/mock_master.py b/monkey/infection_monkey/master/mock_master.py index 8542ade12..528f0ec3d 100644 --- a/monkey/infection_monkey/master/mock_master.py +++ b/monkey/infection_monkey/master/mock_master.py @@ -50,12 +50,12 @@ class MockMaster(IMaster): logger.info("Running post breach actions") name = "AccountDiscovery" - command, result = self._puppet.run_pba(name, {}) - self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result)) + display_name, command, result = self._puppet.run_pba(name, {}) + self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result)) name = "CommunicateAsBackdoorUser" - command, result = self._puppet.run_pba(name, {}) - self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result)) + display_name, command, result = self._puppet.run_pba(name, {}) + self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result)) logger.info("Finished running post breach actions") def _scan_victims(self): diff --git a/monkey/infection_monkey/puppet/mock_puppet.py b/monkey/infection_monkey/puppet/mock_puppet.py index 4ac6f3c2f..0196076ad 100644 --- a/monkey/infection_monkey/puppet/mock_puppet.py +++ b/monkey/infection_monkey/puppet/mock_puppet.py @@ -53,9 +53,9 @@ class MockPuppet(IPuppet): logger.debug(f"run_pba({name}, {options})") if name == "AccountDiscovery": - return PostBreachData("pba command 1", ["pba result 1", True]) + return PostBreachData(name, "pba command 1", ["pba result 1", True]) else: - return PostBreachData("pba command 2", ["pba result 2", False]) + return PostBreachData(name, "pba command 2", ["pba result 2", False]) def ping(self, host: str, timeout: float = 1) -> PingScanData: logger.debug(f"run_ping({host}, {timeout})")