Island: remove azure credential collector

2021-11-15 12:47:39 +02:00 · 2021-11-15 12:47:39 +02:00 · f4ee95418d
parent ada9237a8b
commit f4ee95418d
6 changed files with 0 additions and 85 deletions
--- a/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py
+++ b/monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py
@ -1,6 +1,5 @@
 from common.common_consts.system_info_collectors_names import (
    AWS_COLLECTOR,
-    AZURE_CRED_COLLECTOR,
    ENVIRONMENT_COLLECTOR,
    HOSTNAME_COLLECTOR,
    MIMIKATZ_COLLECTOR,
@ -53,13 +52,5 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
            "info": "Collects a list of running processes on the machine.",
            "attack_techniques": ["T1082"],
        },
-        {
-            "type": "string",
-            "enum": [AZURE_CRED_COLLECTOR],
-            "title": "Azure Credential Collector",
-            "safe": True,
-            "info": "Collects password credentials from Azure VMs",
-            "attack_techniques": ["T1003", "T1005"],
-        },
    ],
 }
--- a/monkey/monkey_island/cc/services/config_schema/monkey.py
+++ b/monkey/monkey_island/cc/services/config_schema/monkey.py
@ -1,6 +1,5 @@
 from common.common_consts.system_info_collectors_names import (
    AWS_COLLECTOR,
-    AZURE_CRED_COLLECTOR,
    ENVIRONMENT_COLLECTOR,
    HOSTNAME_COLLECTOR,
    MIMIKATZ_COLLECTOR,
@ -94,7 +93,6 @@ MONKEY = {
                        HOSTNAME_COLLECTOR,
                        PROCESS_LIST_COLLECTOR,
                        MIMIKATZ_COLLECTOR,
-                        AZURE_CRED_COLLECTOR,
                    ],
                },
            },
--- a/monkey/monkey_island/cc/services/reporting/aws_exporter.py
+++ b/monkey/monkey_island/cc/services/reporting/aws_exporter.py
@ -86,7 +86,6 @@ class AWSExporter(Exporter):
            ExploiterDescriptorEnum.STRUTS2.value.class_name: AWSExporter._handle_struts2_issue,
            ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue,
            ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
-            # azure and conficker are not relevant issues for an AWS env
        }

        configured_product_arn = INFECTION_MONKEY_ARN
--- a/monkey/monkey_island/cc/services/reporting/report.py
+++ b/monkey/monkey_island/cc/services/reporting/report.py
@ -97,24 +97,6 @@ class ReportService:
            for tunnel in mongo.db.monkey.find({"tunnel": {"$exists": True}}, {"tunnel": 1})
        ]

-    @staticmethod
-    def get_azure_issues():
-        creds = ReportService.get_azure_creds()
-        machines = set([instance["origin"] for instance in creds])
-
-        logger.info("Azure issues generated for reporting")
-
-        return [
-            {
-                "type": "azure_password",
-                "machine": machine,
-                "users": set(
-                    [instance["username"] for instance in creds if instance["origin"] == machine]
-                ),
-            }
-            for machine in machines
-        ]
-
    @staticmethod
    def get_scanned():
        formatted_nodes = []
@ -249,30 +231,6 @@ class ReportService:
                creds.extend(ssh_keys)
        return creds

-    @staticmethod
-    def get_azure_creds():
-        """
-        Recover all credentials marked as being from an Azure machine
-        :return: List of credentials.
-        """
-        creds = []
-        for telem in mongo.db.telemetry.find(
-            {"telem_category": "system_info", "data.Azure": {"$exists": True}},
-            {"data.Azure": 1, "monkey_guid": 1},
-        ):
-            azure_users = telem["data"]["Azure"]["usernames"]
-            if len(azure_users) == 0:
-                continue
-            origin = NodeService.get_monkey_by_guid(telem["monkey_guid"])["hostname"]
-            azure_leaked_users = [
-                {"username": user.replace(",", "."), "type": "Clear Password", "origin": origin}
-                for user in azure_users
-            ]
-            creds.extend(azure_leaked_users)
-
-        logger.info("Azure machines creds generated for reporting")
-        return creds
-
    @staticmethod
    def process_exploit(exploit) -> ExploiterReportInfo:
        exploiter_type = exploit["data"]["exploiter"]
@ -628,7 +586,6 @@ class ReportService:
                "scanned": scanned_nodes,
                "exploited_cnt": exploited_cnt,
                "stolen_creds": ReportService.get_stolen_creds(),
-                "azure_passwords": ReportService.get_azure_creds(),
                "ssh_keys": ReportService.get_ssh_keys(),
                "strong_users": PTHReportService.get_strong_users_on_crit_details(),
            },
@ -645,7 +602,6 @@ class ReportService:
            ReportService.get_exploits,
            ReportService.get_tunnels,
            ReportService.get_island_cross_segment_issues,
-            ReportService.get_azure_issues,
            PTHReportService.get_duplicated_passwords_issues,
            PTHReportService.get_strong_users_on_crit_issues,
        ]
--- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js
+++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js
@ -43,7 +43,6 @@ import {
 import {tunnelIssueReport, tunnelIssueOverview} from './security/issues/TunnelIssue';
 import {stolenCredsIssueOverview} from './security/issues/StolenCredsIssue';
 import {weakPasswordIssueOverview} from './security/issues/WeakPasswordIssue';
-import {azurePasswordIssueOverview, azurePasswordIssueReport} from './security/issues/AzurePasswordIssue';
 import {strongUsersOnCritIssueReport} from './security/issues/StrongUsersOnCritIssue';
 import {
  zerologonIssueOverview,
@ -177,11 +176,6 @@ class ReportPageComponent extends AuthComponent {
        [this.issueContentTypes.REPORT]: strongUsersOnCritIssueReport,
        [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
      },
-      'azure_password': {
-        [this.issueContentTypes.OVERVIEW]: azurePasswordIssueOverview,
-        [this.issueContentTypes.REPORT]: azurePasswordIssueReport,
-        [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
-      },
      'weak_password': {
        [this.issueContentTypes.OVERVIEW]: weakPasswordIssueOverview,
        [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
--- a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/AzurePasswordIssue.js
+++ b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/AzurePasswordIssue.js
@ -1,23 +0,0 @@
-import React from 'react';
-import CollapsibleWellComponent from '../CollapsibleWell';
-
-export function azurePasswordIssueOverview() {
-  return (<li>Azure machines expose plaintext passwords. (<a
-                      href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
-                    >More info</a>)</li>)
-}
-
-export function azurePasswordIssueReport(issue) {
-  return (
-      <>
-        Delete VM Access plugin configuration files.
-        <CollapsibleWellComponent>
-          Credentials could be stolen from <span
-          className="badge badge-primary">{issue.machine}</span> for the following users <span
-          className="badge badge-primary">{issue.users}</span>. Read more about the security issue and remediation <a
-          href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
-        >here</a>.
-        </CollapsibleWellComponent>
-      </>
-    );
-}