forked from p15670423/monkey
Island: Reformat "PBAs" in config before sending to agent
Allow options to be specified for each PBA and consolidate the custom user PBA options under a "Custom" PBA.
This commit is contained in:
Mike Salvatore
parent
1b04844e5e
commit
fecb7342ad
|
|
@ -431,6 +431,7 @@ class ConfigService:
|
||||||
def format_flat_config_for_agent(config: Dict):
|
def format_flat_config_for_agent(config: Dict):
|
||||||
ConfigService._remove_credentials_from_flat_config(config)
|
ConfigService._remove_credentials_from_flat_config(config)
|
||||||
ConfigService._format_payloads_from_flat_config(config)
|
ConfigService._format_payloads_from_flat_config(config)
|
||||||
|
ConfigService._format_pbas_from_flat_config(config)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _remove_credentials_from_flat_config(config: Dict):
|
def _remove_credentials_from_flat_config(config: Dict):
|
||||||
|
|
@ -449,3 +450,28 @@ class ConfigService:
|
||||||
def _format_payloads_from_flat_config(config: Dict):
|
def _format_payloads_from_flat_config(config: Dict):
|
||||||
config.setdefault("payloads", {})["ransomware"] = config["ransomware"]
|
config.setdefault("payloads", {})["ransomware"] = config["ransomware"]
|
||||||
config.pop("ransomware", None)
|
config.pop("ransomware", None)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _format_pbas_from_flat_config(config: Dict):
|
||||||
|
flat_linux_command_field = "custom_PBA_linux_cmd"
|
||||||
|
flat_linux_filename_field = "PBA_linux_filename"
|
||||||
|
flat_windows_command_field = "custom_PBA_windows_cmd"
|
||||||
|
flat_windows_filename_field = "PBA_windows_filename"
|
||||||
|
|
||||||
|
formatted_pbas_config = {}
|
||||||
|
for pba in config.get("post_breach_actions", []):
|
||||||
|
formatted_pbas_config[pba] = {}
|
||||||
|
|
||||||
|
formatted_pbas_config["Custom"] = {
|
||||||
|
"linux_command": config.get(flat_linux_command_field, ""),
|
||||||
|
"linux_filename": config.get(flat_linux_filename_field, ""),
|
||||||
|
"windows_command": config.get(flat_windows_command_field, ""),
|
||||||
|
"windows_filename": config.get(flat_windows_filename_field, ""),
|
||||||
|
}
|
||||||
|
|
||||||
|
config["post_breach_actions"] = formatted_pbas_config
|
||||||
|
|
||||||
|
config.pop(flat_linux_command_field, None)
|
||||||
|
config.pop(flat_linux_filename_field, None)
|
||||||
|
config.pop(flat_windows_command_field, None)
|
||||||
|
config.pop(flat_windows_filename_field, None)
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,8 @@
|
||||||
7001,
|
7001,
|
||||||
9200
|
9200
|
||||||
],
|
],
|
||||||
"PBA_linux_filename": "",
|
"PBA_linux_filename": "test.sh",
|
||||||
"PBA_windows_filename": "",
|
"PBA_windows_filename": "test.ps1",
|
||||||
"alive": true,
|
"alive": true,
|
||||||
"aws_access_key_id": "",
|
"aws_access_key_id": "",
|
||||||
"aws_secret_access_key": "",
|
"aws_secret_access_key": "",
|
||||||
|
|
@ -18,8 +18,8 @@
|
||||||
"10.197.94.72:5000"
|
"10.197.94.72:5000"
|
||||||
],
|
],
|
||||||
"current_server": "10.197.94.72:5000",
|
"current_server": "10.197.94.72:5000",
|
||||||
"custom_PBA_linux_cmd": "",
|
"custom_PBA_linux_cmd": "bash test.sh",
|
||||||
"custom_PBA_windows_cmd": "",
|
"custom_PBA_windows_cmd": "powershell test.ps1",
|
||||||
"depth": 2,
|
"depth": 2,
|
||||||
"dropper_date_reference_path_linux": "/bin/sh",
|
"dropper_date_reference_path_linux": "/bin/sh",
|
||||||
"dropper_date_reference_path_windows": "%windir%\\system32\\kernel32.dll",
|
"dropper_date_reference_path_windows": "%windir%\\system32\\kernel32.dll",
|
||||||
|
|
@ -82,9 +82,6 @@
|
||||||
"post_breach_actions": [
|
"post_breach_actions": [
|
||||||
"CommunicateAsBackdoorUser",
|
"CommunicateAsBackdoorUser",
|
||||||
"ModifyShellStartupFiles",
|
"ModifyShellStartupFiles",
|
||||||
"HiddenFiles",
|
|
||||||
"TrapCommand",
|
|
||||||
"ChangeSetuidSetgid",
|
|
||||||
"ScheduleJobs",
|
"ScheduleJobs",
|
||||||
"Timestomping",
|
"Timestomping",
|
||||||
"AccountDiscovery"
|
"AccountDiscovery"
|
||||||
|
|
|
||||||
|
|
@ -55,3 +55,28 @@ def test_format_config_for_agent__ransomware_payload(flat_monkey_config):
|
||||||
assert flat_monkey_config["payloads"] == expected_ransomware_config
|
assert flat_monkey_config["payloads"] == expected_ransomware_config
|
||||||
|
|
||||||
assert "ransomware" not in flat_monkey_config
|
assert "ransomware" not in flat_monkey_config
|
||||||
|
|
||||||
|
|
||||||
|
def test_format_config_for_agent__pbas(flat_monkey_config):
|
||||||
|
expected_pbas_config = {
|
||||||
|
"CommunicateAsBackdoorUser": {},
|
||||||
|
"ModifyShellStartupFiles": {},
|
||||||
|
"ScheduleJobs": {},
|
||||||
|
"Timestomping": {},
|
||||||
|
"AccountDiscovery": {},
|
||||||
|
"Custom": {
|
||||||
|
"linux_command": "bash test.sh",
|
||||||
|
"windows_command": "powershell test.ps1",
|
||||||
|
"linux_filename": "test.sh",
|
||||||
|
"windows_filename": "test.ps1",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
ConfigService.format_flat_config_for_agent(flat_monkey_config)
|
||||||
|
|
||||||
|
assert "post_breach_actions" in flat_monkey_config
|
||||||
|
assert flat_monkey_config["post_breach_actions"] == expected_pbas_config
|
||||||
|
|
||||||
|
assert "custom_PBA_linux_cmd" not in flat_monkey_config
|
||||||
|
assert "PBA_linux_filename" not in flat_monkey_config
|
||||||
|
assert "custom_PBA_windows_cmd" not in flat_monkey_config
|
||||||
|
assert "PBA_windows_filename" not in flat_monkey_config
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue