Merge pull request #1815 from guardicore/1604-remove-pba-plugin-dependency

Remove PBA's Plugin dependency + add display_name to PostBreachData

monkey/infection_monkey/i_puppet/i_puppet.py

@@ -34,7 +34,7 @@ class ExploiterResultData:
 PingScanData = namedtuple("PingScanData", ["response_received", "os"])
 PortScanData = namedtuple("PortScanData", ["port", "status", "banner", "service"])
 FingerprintData = namedtuple("FingerprintData", ["os_type", "os_version", "services"])
-PostBreachData = namedtuple("PostBreachData", ["command", "result"])
+PostBreachData = namedtuple("PostBreachData", ["display_name", "command", "result"])
 
 
 class IPuppet(metaclass=abc.ABCMeta):

monkey/infection_monkey/master/automated_master.py

@@ -195,14 +195,11 @@ class AutomatedMaster(IMaster):
             logger.debug(f"No credentials were collected by {collector}")
 
     def _run_pba(self, pba: Tuple[str, Dict]):
-        # TODO: This is the class's name right now. We need `display_name` (see the
-        #       ProcessListCollection PBA). This is shown in the Security report as the PBA
-        #       name and is checked against in the T1082's mongo query in the ATT&CK report.
         name = pba[0]
         options = pba[1]
 
-        command, result = self._puppet.run_pba(name, options)
-        self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result))
+        display_name, command, result = self._puppet.run_pba(name, options)
+        self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
 
     def _can_propagate(self) -> bool:
         return True

monkey/infection_monkey/master/mock_master.py

@@ -50,12 +50,12 @@ class MockMaster(IMaster):
 
         logger.info("Running post breach actions")
         name = "AccountDiscovery"
-        command, result = self._puppet.run_pba(name, {})
-        self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result))
+        display_name, command, result = self._puppet.run_pba(name, {})
+        self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
 
         name = "CommunicateAsBackdoorUser"
-        command, result = self._puppet.run_pba(name, {})
-        self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result))
+        display_name, command, result = self._puppet.run_pba(name, {})
+        self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
         logger.info("Finished running post breach actions")
 
     def _scan_victims(self):

monkey/infection_monkey/post_breach/pba.py

@@ -1,31 +1,20 @@
 import logging
 import subprocess
 
-import infection_monkey.post_breach.actions
 from common.utils.attack_utils import ScanStatus
-from infection_monkey.config import WormConfiguration
 from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
 from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
 from infection_monkey.utils.environment import is_windows_os
-from infection_monkey.utils.plugins.plugin import Plugin
 
 logger = logging.getLogger(__name__)
 
 
-class PBA(Plugin):
+class PBA:
     """
     Post breach action object. Can be extended to support more than command execution on target
     machine.
     """
 
-    @staticmethod
-    def base_package_name():
-        return infection_monkey.post_breach.actions.__package__
-
-    @staticmethod
-    def base_package_file():
-        return infection_monkey.post_breach.actions.__file__
-
     def __init__(self, name="unknown", linux_cmd="", windows_cmd=""):
         """
         :param name: Name of post breach action.
@@ -35,14 +24,6 @@ class PBA(Plugin):
         self.command = PBA.choose_command(linux_cmd, windows_cmd)
         self.name = name
 
-    @staticmethod
-    def should_run(class_name):
-        """
-        Decides if post breach action is enabled in config
-        :return: True if it needs to be ran, false otherwise
-        """
-        return class_name in WormConfiguration.post_breach_actions
-
     def run(self):
         """
         Runs post breach action command

monkey/infection_monkey/puppet/mock_puppet.py

@@ -53,9 +53,9 @@ class MockPuppet(IPuppet):
         logger.debug(f"run_pba({name}, {options})")
 
         if name == "AccountDiscovery":
-            return PostBreachData("pba command 1", ["pba result 1", True])
+            return PostBreachData(name, "pba command 1", ["pba result 1", True])
         else:
-            return PostBreachData("pba command 2", ["pba result 2", False])
+            return PostBreachData(name, "pba command 2", ["pba result 2", False])
 
     def ping(self, host: str, timeout: float = 1) -> PingScanData:
         logger.debug(f"run_ping({host}, {timeout})")