Changes after manual testing

monkey/infection_monkey/exploit/zerologon.py

@@ -566,8 +566,6 @@ class DumpSecrets:
         if self.__NTDS_hashes:
             self.__NTDS_hashes.finish()
 
-# how to execute monkey on exploited machine
-# clean up logging
 # mention in report explicitly - machine exploited/not (return True, if yes) & password restored/not
 # mention patching details in report
 # add exploit info to documentation
@@ -604,7 +602,7 @@ class Wmiexec:
                                    oxidResolver=True)
 
         try:
-            iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
+            iInterface = self.dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
             iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
             self.iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
             iWbemLevel1Login.RemRelease()

monkey/monkey_island/cc/services/attack/technique_reports/T1003.py

@@ -12,9 +12,14 @@ class T1003(AttackTechnique):
     scanned_msg = ""
     used_msg = "Monkey successfully obtained some credentials from systems on the network."
 
-    query = {'telem_category': 'system_info', '$and': [{'data.credentials': {'$exists': True}},
-                                                       # $gt: {} checks if field is not an empty object
-                                                       {'data.credentials': {'$gt': {}}}]}
+    query = {'$or': [
+        {'telem_category': 'system_info',
+         '$and': [{'data.credentials': {'$exists': True}},
+                  {'data.credentials': {'$gt': {}}}]},  # $gt: {} checks if field is not an empty object
+        {'telem_category': 'exploit',
+         '$and': [{'data.info.credentials': {'$exists': True}},
+                  {'data.info.credentials': {'$gt': {}}}]}
+    ]}
 
     @staticmethod
     def get_report_data():

monkey/monkey_island/cc/services/reporting/report.py

@@ -188,7 +188,9 @@ class ReportService:
                 {'data.credentials': 1, 'monkey_guid': 1}
         ):
             monkey_creds = telem['data']['credentials']
-            creds.append(ReportService._format_creds_for_reporting(telem, monkey_creds))
+            formatted_creds = ReportService._format_creds_for_reporting(telem, monkey_creds)
+            if formatted_creds:
+                creds.extend(formatted_creds)
 
         # stolen creds from exploiters
         for telem in mongo.db.telemetry.find(
@@ -196,7 +198,9 @@ class ReportService:
                 {'data.info.credentials': 1, 'monkey_guid': 1}
         ):
             monkey_creds = telem['data']['info']['credentials']
-            creds.append(ReportService._format_creds_for_reporting(telem, monkey_creds))
+            formatted_creds = ReportService._format_creds_for_reporting(telem, monkey_creds)
+            if formatted_creds:
+                creds.extend(formatted_creds)
 
         logger.info('Stolen creds generated for reporting')
         return creds
@@ -206,7 +210,7 @@ class ReportService:
         creds = []
         PASS_TYPE_DICT = {'password': 'Clear Password', 'lm_hash': 'LM hash', 'ntlm_hash': 'NTLM hash'}
         if len(monkey_creds) == 0:
-            continue
+            return
         origin = NodeService.get_monkey_by_guid(telem['monkey_guid'])['hostname']
         for user in monkey_creds:
             for pass_type in PASS_TYPE_DICT:

monkey/monkey_island/cc/services/telemetry/processing/exploit.py

@@ -31,7 +31,6 @@ def process_exploit_telemetry(telemetry_json):
 def add_exploit_extracted_creds_to_config(telemetry_json):
     if 'credentials' in telemetry_json['data']['info']:
         creds = telemetry_json['data']['info']['credentials']
-        add_system_info_creds_to_config(creds)
 
     for user in creds:
         ConfigService.creds_add_username(creds[user]['username'])