diff --git a/monkey/common/tags/__init__.py b/monkey/common/tags/__init__.py new file mode 100644 index 000000000..ea08aa9f5 --- /dev/null +++ b/monkey/common/tags/__init__.py @@ -0,0 +1,13 @@ +from .attack import ( + T1003_ATTACK_TECHNIQUE_TAG, + T1005_ATTACK_TECHNIQUE_TAG, + T1021_ATTACK_TECHNIQUE_TAG, + T1098_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, + T1110_ATTACK_TECHNIQUE_TAG, + T1145_ATTACK_TECHNIQUE_TAG, + T1203_ATTACK_TECHNIQUE_TAG, + T1210_ATTACK_TECHNIQUE_TAG, + T1222_ATTACK_TECHNIQUE_TAG, + T1570_ATTACK_TECHNIQUE_TAG, +) diff --git a/monkey/common/tags/attack.py b/monkey/common/tags/attack.py new file mode 100644 index 000000000..e8881dfa7 --- /dev/null +++ b/monkey/common/tags/attack.py @@ -0,0 +1,11 @@ +T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" +T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005" +T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021" +T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098" +T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105" +T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110" +T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145" +T1203_ATTACK_TECHNIQUE_TAG = "attack-t1203" +T1210_ATTACK_TECHNIQUE_TAG = "attack-t1210" +T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222" +T1570_ATTACK_TECHNIQUE_TAG = "attack-t1570" diff --git a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py index b4bf4135e..4e3efd594 100644 --- a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py +++ b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py @@ -4,6 +4,7 @@ from typing import Sequence from common.agent_events import CredentialsStolenEvent from common.credentials import Credentials, LMHash, NTHash, Password, Username from common.event_queue import IAgentEventQueue +from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1005_ATTACK_TECHNIQUE_TAG from infection_monkey.i_puppet import ICredentialCollector from infection_monkey.model import USERNAME_PREFIX from infection_monkey.utils.ids import get_agent_id @@ -15,8 +16,6 @@ logger = logging.getLogger(__name__) MIMIKATZ_CREDENTIAL_COLLECTOR_TAG = "mimikatz-credentials-collector" -T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" -T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005" MIMIKATZ_EVENT_TAGS = frozenset( ( @@ -28,8 +27,8 @@ MIMIKATZ_EVENT_TAGS = frozenset( class MimikatzCredentialCollector(ICredentialCollector): - def __init__(self, event_queue: IAgentEventQueue): - self._event_queue = event_queue + def __init__(self, agent_event_queue: IAgentEventQueue): + self._agent_event_queue = agent_event_queue def collect_credentials(self, options=None) -> Sequence[Credentials]: logger.info("Attempting to collect windows credentials with pypykatz.") @@ -82,4 +81,4 @@ class MimikatzCredentialCollector(ICredentialCollector): stolen_credentials=collected_credentials, ) - self._event_queue.publish(credentials_stolen_event) + self._agent_event_queue.publish(credentials_stolen_event) diff --git a/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_credential_collector.py b/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_credential_collector.py index ed0fc1a8e..d4c1c84da 100644 --- a/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_credential_collector.py +++ b/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_credential_collector.py @@ -15,13 +15,15 @@ class SSHCredentialCollector(ICredentialCollector): SSH keys credential collector """ - def __init__(self, telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue): + def __init__( + self, telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue + ): self._telemetry_messenger = telemetry_messenger - self._event_queue = event_queue + self._agent_event_queue = agent_event_queue def collect_credentials(self, _options=None) -> Sequence[Credentials]: logger.info("Started scanning for SSH credentials") - ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._event_queue) + ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._agent_event_queue) logger.info("Finished scanning for SSH credentials") return ssh_handler.to_credentials(ssh_info) diff --git a/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_handler.py b/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_handler.py index e6add5589..3776ce8ef 100644 --- a/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_handler.py +++ b/monkey/infection_monkey/credential_collectors/ssh_collector/ssh_handler.py @@ -6,6 +6,11 @@ from typing import Dict, Iterable, Sequence from common.agent_events import CredentialsStolenEvent from common.credentials import Credentials, SSHKeypair, Username from common.event_queue import IAgentEventQueue +from common.tags import ( + T1003_ATTACK_TECHNIQUE_TAG, + T1005_ATTACK_TECHNIQUE_TAG, + T1145_ATTACK_TECHNIQUE_TAG, +) from common.utils.attack_utils import ScanStatus from infection_monkey.telemetry.attack.t1005_telem import T1005Telem from infection_monkey.telemetry.attack.t1145_telem import T1145Telem @@ -17,9 +22,6 @@ logger = logging.getLogger(__name__) DEFAULT_DIRS = ["/.ssh/", "/"] SSH_CREDENTIAL_COLLECTOR_TAG = "ssh-credentials-collector" -T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" -T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005" -T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145" SSH_COLLECTOR_EVENT_TAGS = frozenset( ( @@ -32,7 +34,7 @@ SSH_COLLECTOR_EVENT_TAGS = frozenset( def get_ssh_info( - telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue + telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue ) -> Iterable[Dict]: # TODO: Remove this check when this is turned into a plugin. if is_windows_os(): @@ -42,7 +44,7 @@ def get_ssh_info( return [] home_dirs = _get_home_dirs() - ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, event_queue) + ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, agent_event_queue) return ssh_info @@ -83,7 +85,7 @@ def _get_ssh_struct(name: str, home_dir: str) -> Dict: def _get_ssh_files( user_info: Iterable[Dict], telemetry_messenger: ITelemetryMessenger, - event_queue: IAgentEventQueue, + agent_event_queue: IAgentEventQueue, ) -> Iterable[Dict]: for info in user_info: path = info["home_dir"] @@ -125,7 +127,7 @@ def _get_ssh_files( collected_credentials = to_credentials([info]) _publish_credentials_stolen_event( - collected_credentials, event_queue + collected_credentials, agent_event_queue ) else: continue @@ -170,7 +172,7 @@ def to_credentials(ssh_info: Iterable[Dict]) -> Sequence[Credentials]: def _publish_credentials_stolen_event( - collected_credentials: Credentials, event_queue: IAgentEventQueue + collected_credentials: Sequence[Credentials], agent_event_queue: IAgentEventQueue ): credentials_stolen_event = CredentialsStolenEvent( source=get_agent_id(), @@ -178,4 +180,4 @@ def _publish_credentials_stolen_event( stolen_credentials=collected_credentials, ) - event_queue.publish(credentials_stolen_event) + agent_event_queue.publish(credentials_stolen_event) diff --git a/monkey/infection_monkey/exploit/zerologon.py b/monkey/infection_monkey/exploit/zerologon.py index bae4a4054..19445f6ab 100644 --- a/monkey/infection_monkey/exploit/zerologon.py +++ b/monkey/infection_monkey/exploit/zerologon.py @@ -18,6 +18,7 @@ from impacket.dcerpc.v5.dtypes import NULL from common.agent_events import CredentialsStolenEvent from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.credentials import Credentials, LMHash, NTHash, Username +from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.tools.wmi_tools import WmiTools from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets @@ -32,9 +33,6 @@ from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) ZEROLOGON_EXPLOITER_TAG = "zerologon-exploiter" -T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003" -T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098" - ZEROLOGON_EVENT_TAGS = frozenset( { @@ -315,7 +313,7 @@ class ZerologonExploiter(HostExploiter): tags=ZEROLOGON_EVENT_TAGS, stolen_credentials=extracted_credentials, ) - self.event_queue.publish(credentials_stolen_event) + self.agent_event_queue.publish(credentials_stolen_event) def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> Optional[str]: if not self.save_HKLM_keys_locally(username, user_pwd_hashes): diff --git a/vulture_allowlist.py b/vulture_allowlist.py index fc890fd8e..89384e69d 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -9,11 +9,17 @@ from common.agent_configuration.agent_sub_configurations import ( ) from common.agent_events import ExploitationEvent, PingScanEvent, PropagationEvent, TCPScanEvent from common.credentials import Credentials, LMHash, NTHash -from infection_monkey.exploit.HostExploiter.HostExploiter import ( - _publish_exploitation_event, - _publish_propagation_event, +from common.tags import ( + T1021_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, + T1110_ATTACK_TECHNIQUE_TAG, + T1203_ATTACK_TECHNIQUE_TAG, + T1210_ATTACK_TECHNIQUE_TAG, + T1222_ATTACK_TECHNIQUE_TAG, + T1570_ATTACK_TECHNIQUE_TAG, ) from common.types import NetworkPort, NetworkService +from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory from monkey_island.cc.models import Machine, Node, Report from monkey_island.cc.models.networkmap import Arc, NetworkMap @@ -319,8 +325,17 @@ TCPScanEvent TCPScanEvent.port_status # TODO: Remove once #2269 is close -_publish_exploitation_event, -_publish_propagation_event, +PropagationEvent +ExploitationEvent +T1021_ATTACK_TECHNIQUE_TAG +T1105_ATTACK_TECHNIQUE_TAG +T1110_ATTACK_TECHNIQUE_TAG +T1203_ATTACK_TECHNIQUE_TAG +T1210_ATTACK_TECHNIQUE_TAG +T1222_ATTACK_TECHNIQUE_TAG +T1570_ATTACK_TECHNIQUE_TAG +HostExploiter._publish_propagation_event +HostExploiter._publish_exploitation_event # pydantic base models underscore_attrs_are_private