diff --git a/monkey/infection_monkey/exploit/zerologon.py b/monkey/infection_monkey/exploit/zerologon.py index e435c4a58..b4473c1f9 100644 --- a/monkey/infection_monkey/exploit/zerologon.py +++ b/monkey/infection_monkey/exploit/zerologon.py @@ -566,8 +566,6 @@ class DumpSecrets: if self.__NTDS_hashes: self.__NTDS_hashes.finish() -# how to execute monkey on exploited machine -# clean up logging # mention in report explicitly - machine exploited/not (return True, if yes) & password restored/not # mention patching details in report # add exploit info to documentation @@ -604,7 +602,7 @@ class Wmiexec: oxidResolver=True) try: - iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login) + iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login) iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface) self.iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) iWbemLevel1Login.RemRelease() diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py index d8ee9de26..399be0992 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py @@ -12,9 +12,14 @@ class T1003(AttackTechnique): scanned_msg = "" used_msg = "Monkey successfully obtained some credentials from systems on the network." - query = {'telem_category': 'system_info', '$and': [{'data.credentials': {'$exists': True}}, - # $gt: {} checks if field is not an empty object - {'data.credentials': {'$gt': {}}}]} + query = {'$or': [ + {'telem_category': 'system_info', + '$and': [{'data.credentials': {'$exists': True}}, + {'data.credentials': {'$gt': {}}}]}, # $gt: {} checks if field is not an empty object + {'telem_category': 'exploit', + '$and': [{'data.info.credentials': {'$exists': True}}, + {'data.info.credentials': {'$gt': {}}}]} + ]} @staticmethod def get_report_data(): diff --git a/monkey/monkey_island/cc/services/reporting/report.py b/monkey/monkey_island/cc/services/reporting/report.py index 7c45f1823..c8993080f 100644 --- a/monkey/monkey_island/cc/services/reporting/report.py +++ b/monkey/monkey_island/cc/services/reporting/report.py @@ -188,7 +188,9 @@ class ReportService: {'data.credentials': 1, 'monkey_guid': 1} ): monkey_creds = telem['data']['credentials'] - creds.append(ReportService._format_creds_for_reporting(telem, monkey_creds)) + formatted_creds = ReportService._format_creds_for_reporting(telem, monkey_creds) + if formatted_creds: + creds.extend(formatted_creds) # stolen creds from exploiters for telem in mongo.db.telemetry.find( @@ -196,7 +198,9 @@ class ReportService: {'data.info.credentials': 1, 'monkey_guid': 1} ): monkey_creds = telem['data']['info']['credentials'] - creds.append(ReportService._format_creds_for_reporting(telem, monkey_creds)) + formatted_creds = ReportService._format_creds_for_reporting(telem, monkey_creds) + if formatted_creds: + creds.extend(formatted_creds) logger.info('Stolen creds generated for reporting') return creds @@ -206,7 +210,7 @@ class ReportService: creds = [] PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'} if len(monkey_creds) == 0: - continue + return origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname'] for user in monkey_creds: for pass_type in PASS_TYPE_DICT: diff --git a/monkey/monkey_island/cc/services/telemetry/processing/exploit.py b/monkey/monkey_island/cc/services/telemetry/processing/exploit.py index 2b7fc718a..e0bbc087f 100644 --- a/monkey/monkey_island/cc/services/telemetry/processing/exploit.py +++ b/monkey/monkey_island/cc/services/telemetry/processing/exploit.py @@ -31,7 +31,6 @@ def process_exploit_telemetry(telemetry_json): def add_exploit_extracted_creds_to_config(telemetry_json): if 'credentials' in telemetry_json['data']['info']: creds = telemetry_json['data']['info']['credentials'] - add_system_info_creds_to_config(creds) for user in creds: ConfigService.creds_add_username(creds[user]['username'])