p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Island: remove azure credential collector

This commit is contained in:
VakarisZ 2021-11-15 12:47:39 +02:00
parent ada9237a8b
commit f4ee95418d
6 changed files with 0 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py
View File

@ -1,6 +1,5 @@
from common.common_consts.system_info_collectors_names import ( from common.common_consts.system_info_collectors_names import (
AWS_COLLECTOR, AWS_COLLECTOR,
AZURE_CRED_COLLECTOR,
ENVIRONMENT_COLLECTOR, ENVIRONMENT_COLLECTOR,
HOSTNAME_COLLECTOR, HOSTNAME_COLLECTOR,
MIMIKATZ_COLLECTOR, MIMIKATZ_COLLECTOR,
@ -53,13 +52,5 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
"info": "Collects a list of running processes on the machine.", "info": "Collects a list of running processes on the machine.",
"attack_techniques": ["T1082"], "attack_techniques": ["T1082"],
}, },
{
"type": "string",
"enum": [AZURE_CRED_COLLECTOR],
"title": "Azure Credential Collector",
"safe": True,
"info": "Collects password credentials from Azure VMs",
"attack_techniques": ["T1003", "T1005"],
},
], ],
} }

2
monkey/monkey_island/cc/services/config_schema/monkey.py
View File

@ -1,6 +1,5 @@
from common.common_consts.system_info_collectors_names import ( from common.common_consts.system_info_collectors_names import (
AWS_COLLECTOR, AWS_COLLECTOR,
AZURE_CRED_COLLECTOR,
ENVIRONMENT_COLLECTOR, ENVIRONMENT_COLLECTOR,
HOSTNAME_COLLECTOR, HOSTNAME_COLLECTOR,
MIMIKATZ_COLLECTOR, MIMIKATZ_COLLECTOR,
@ -94,7 +93,6 @@ MONKEY = {
HOSTNAME_COLLECTOR, HOSTNAME_COLLECTOR,
PROCESS_LIST_COLLECTOR, PROCESS_LIST_COLLECTOR,
MIMIKATZ_COLLECTOR, MIMIKATZ_COLLECTOR,
AZURE_CRED_COLLECTOR,
], ],
}, },
}, },

1
monkey/monkey_island/cc/services/reporting/aws_exporter.py
View File

@ -86,7 +86,6 @@ class AWSExporter(Exporter):
ExploiterDescriptorEnum.STRUTS2.value.class_name: AWSExporter._handle_struts2_issue, ExploiterDescriptorEnum.STRUTS2.value.class_name: AWSExporter._handle_struts2_issue,
ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue, ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue,
ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue, ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
# azure and conficker are not relevant issues for an AWS env
} }
configured_product_arn = INFECTION_MONKEY_ARN configured_product_arn = INFECTION_MONKEY_ARN

44
monkey/monkey_island/cc/services/reporting/report.py
View File

@ -97,24 +97,6 @@ class ReportService:
for tunnel in mongo.db.monkey.find({"tunnel": {"$exists": True}}, {"tunnel": 1}) for tunnel in mongo.db.monkey.find({"tunnel": {"$exists": True}}, {"tunnel": 1})
] ]
@staticmethod
def get_azure_issues():
creds = ReportService.get_azure_creds()
machines = set([instance["origin"] for instance in creds])
logger.info("Azure issues generated for reporting")
return [
{
"type": "azure_password",
"machine": machine,
"users": set(
[instance["username"] for instance in creds if instance["origin"] == machine]
),
}
for machine in machines
]
@staticmethod @staticmethod
def get_scanned(): def get_scanned():
formatted_nodes = [] formatted_nodes = []
@ -249,30 +231,6 @@ class ReportService:
creds.extend(ssh_keys) creds.extend(ssh_keys)
return creds return creds
@staticmethod
def get_azure_creds():
"""
Recover all credentials marked as being from an Azure machine
:return: List of credentials.
"""
creds = []
for telem in mongo.db.telemetry.find(
{"telem_category": "system_info", "data.Azure": {"$exists": True}},
{"data.Azure": 1, "monkey_guid": 1},
):
azure_users = telem["data"]["Azure"]["usernames"]
if len(azure_users) == 0:
continue
origin = NodeService.get_monkey_by_guid(telem["monkey_guid"])["hostname"]
azure_leaked_users = [
{"username": user.replace(",", "."), "type": "Clear Password", "origin": origin}
for user in azure_users
]
creds.extend(azure_leaked_users)
logger.info("Azure machines creds generated for reporting")
return creds
@staticmethod @staticmethod
def process_exploit(exploit) -> ExploiterReportInfo: def process_exploit(exploit) -> ExploiterReportInfo:
exploiter_type = exploit["data"]["exploiter"] exploiter_type = exploit["data"]["exploiter"]
@ -628,7 +586,6 @@ class ReportService:
"scanned": scanned_nodes, "scanned": scanned_nodes,
"exploited_cnt": exploited_cnt, "exploited_cnt": exploited_cnt,
"stolen_creds": ReportService.get_stolen_creds(), "stolen_creds": ReportService.get_stolen_creds(),
"azure_passwords": ReportService.get_azure_creds(),
"ssh_keys": ReportService.get_ssh_keys(), "ssh_keys": ReportService.get_ssh_keys(),
"strong_users": PTHReportService.get_strong_users_on_crit_details(), "strong_users": PTHReportService.get_strong_users_on_crit_details(),
}, },
@ -645,7 +602,6 @@ class ReportService:
ReportService.get_exploits, ReportService.get_exploits,
ReportService.get_tunnels, ReportService.get_tunnels,
ReportService.get_island_cross_segment_issues, ReportService.get_island_cross_segment_issues,
ReportService.get_azure_issues,
PTHReportService.get_duplicated_passwords_issues, PTHReportService.get_duplicated_passwords_issues,
PTHReportService.get_strong_users_on_crit_issues, PTHReportService.get_strong_users_on_crit_issues,
] ]

6
monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js
View File

@ -43,7 +43,6 @@ import {
import {tunnelIssueReport, tunnelIssueOverview} from './security/issues/TunnelIssue'; import {tunnelIssueReport, tunnelIssueOverview} from './security/issues/TunnelIssue';
import {stolenCredsIssueOverview} from './security/issues/StolenCredsIssue'; import {stolenCredsIssueOverview} from './security/issues/StolenCredsIssue';
import {weakPasswordIssueOverview} from './security/issues/WeakPasswordIssue'; import {weakPasswordIssueOverview} from './security/issues/WeakPasswordIssue';
import {azurePasswordIssueOverview, azurePasswordIssueReport} from './security/issues/AzurePasswordIssue';
import {strongUsersOnCritIssueReport} from './security/issues/StrongUsersOnCritIssue'; import {strongUsersOnCritIssueReport} from './security/issues/StrongUsersOnCritIssue';
import { import {
zerologonIssueOverview, zerologonIssueOverview,
@ -177,11 +176,6 @@ class ReportPageComponent extends AuthComponent {
[this.issueContentTypes.REPORT]: strongUsersOnCritIssueReport, [this.issueContentTypes.REPORT]: strongUsersOnCritIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
}, },
'azure_password': {
[this.issueContentTypes.OVERVIEW]: azurePasswordIssueOverview,
[this.issueContentTypes.REPORT]: azurePasswordIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'weak_password': { 'weak_password': {
[this.issueContentTypes.OVERVIEW]: weakPasswordIssueOverview, [this.issueContentTypes.OVERVIEW]: weakPasswordIssueOverview,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER [this.issueContentTypes.TYPE]: this.issueTypes.DANGER

23
monkey/monkey_island/cc/ui/src/components/report-components/security/issues/AzurePasswordIssue.js
View File

@ -1,23 +0,0 @@
import React from 'react';
import CollapsibleWellComponent from '../CollapsibleWell';
export function azurePasswordIssueOverview() {
return (<li>Azure machines expose plaintext passwords. (<a
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
>More info</a>)</li>)
}
export function azurePasswordIssueReport(issue) {
return (
<>
Delete VM Access plugin configuration files.
<CollapsibleWellComponent>
Credentials could be stolen from <span
className="badge badge-primary">{issue.machine}</span> for the following users <span
className="badge badge-primary">{issue.users}</span>. Read more about the security issue and remediation <a
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
>here</a>.
</CollapsibleWellComponent>
</>
);
}