From 2881b11be32ab3fe17d34b7fe1a05f9e853d9dd5 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 06:47:32 -0400 Subject: [PATCH 01/13] =?UTF-8?q?Swimm:=20update=20exercise=20Add=20a=20ne?= =?UTF-8?q?w=20configuration=20setting=20to=20the=20Agent=20=E2=9A=99=20(i?= =?UTF-8?q?d:=20AzD8XysWg1BBXCjCDkfq).?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .swm/AzD8XysWg1BBXCjCDkfq.swm | 170 ++++++++++++++++------------------ 1 file changed, 82 insertions(+), 88 deletions(-) diff --git a/.swm/AzD8XysWg1BBXCjCDkfq.swm b/.swm/AzD8XysWg1BBXCjCDkfq.swm index 83958e466..a798922f0 100644 --- a/.swm/AzD8XysWg1BBXCjCDkfq.swm +++ b/.swm/AzD8XysWg1BBXCjCDkfq.swm @@ -1,92 +1,86 @@ { "id": "AzD8XysWg1BBXCjCDkfq", "name": "Add a new configuration setting to the Agent ⚙", - "dod": "Make the max victim number that Monkey will find before stopping configurable by the user instead of constant.", - "description": "# Make something configurable\n\nIn this unit, you will learn how to add a configuration option to Monkey and how to use it in the Monkey Agent code. \n\n![computer fire](https://media.giphy.com/media/7J4P7cUur2DlErijp3/giphy.gif \"computer fire\")\n\n## Why is this important?\n\nEnabling users to configure the Monkey's behaviour gives them a lot more freedom in how they want to use the Monkey and enables more use cases.\n\n## What is \"Max victims to find\"?\n\nThe Monkey has a function which finds \"victim\" machines on the network for the Monkey to try and exploit. It's called `get_victim_machines`. This function accepts an argument which limits how many machines the Monkey should find.\n\nWe want to make that value editable by the user instead of constant in the code.\n\n## Manual testing\n\n1. After you've performed the required changes, reload the Server and check your value exists in the Internal tab of the config (see image).\n\n![](https://i.imgur.com/e0XAxuV.png)\n\n2. Set the new value to 1, and run Monkey locally (from source). See that the Monkey only scans one machine.", - "summary": "* When changing config schema by adding or deleting keys, you need to update the Blackbox Test configurations as well [here](https://github.com/guardicore/monkey/tree/develop/envs/monkey_zoo/blackbox/island_configs).", - "hunksOrder": [ - "monkey/infection_monkey/config.py_0", - "monkey/infection_monkey/monkey.py_0", - "monkey/monkey_island/cc/services/config_schema/internal.py_0" - ], - "tests": [], - "hints": [ - "Look for `victims_max_exploit` - it's rather similar." - ], - "play_mode": "all", - "swimmPatch": { - "monkey/infection_monkey/config.py": { - "diffType": "MODIFIED", - "fileDiffHeader": "diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py\nindex 1fbcb876..67ed19de 100644\n--- a/monkey/infection_monkey/config.py\n+++ b/monkey/infection_monkey/config.py", - "hunks": [ - { - "swimmHunkMetadata": { - "hunkComments": [] - }, - "hunkDiffLines": [ - "@@ -131,8 +131,6 @@", - " exploiter_classes = []\r", - " system_info_collector_classes = []\r", - " \r", - "- # how many victims to look for in a single scan iteration\r", - "- victims_max_find = 100\r", - " \r", - " # how many victims to exploit before stopping\r", - " victims_max_exploit = 100\r" - ] - } - ] - }, - "monkey/infection_monkey/monkey.py": { - "diffType": "MODIFIED", - "fileDiffHeader": "diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py\nindex 444bde45..ff23f671 100644\n--- a/monkey/infection_monkey/monkey.py\n+++ b/monkey/infection_monkey/monkey.py", - "hunks": [ - { - "swimmHunkMetadata": { - "hunkComments": [] - }, - "hunkDiffLines": [ - "@@ -159,8 +159,6 @@", - " if not self._keep_running or not WormConfiguration.alive:\r", - " break\r", - " \r", - "- machines = self._network.get_victim_machines(max_find=WormConfiguration.victims_max_find,\r", - "- stop_callback=ControlClient.check_for_stop)\r", - " is_empty = True\r", - " for machine in machines:\r", - " if ControlClient.check_for_stop():\r" - ] - } - ] - }, - "monkey/monkey_island/cc/services/config_schema/internal.py": { - "diffType": "MODIFIED", - "fileDiffHeader": "diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py\nindex bdbae246..d6042d35 100644\n--- a/monkey/monkey_island/cc/services/config_schema/internal.py\n+++ b/monkey/monkey_island/cc/services/config_schema/internal.py", - "hunks": [ - { - "swimmHunkMetadata": { - "hunkComments": [] - }, - "hunkDiffLines": [ - "@@ -40,12 +40,6 @@", - " \"title\": \"Monkey\",\r", - " \"type\": \"object\",\r", - " \"properties\": {\r", - "- \"victims_max_find\": {\r", - "- \"title\": \"Max victims to find\",\r", - "- \"type\": \"integer\",\r", - "- \"default\": 100,\r", - "- \"description\": \"Determines the maximum number of machines the monkey is allowed to scan\"\r", - "- },\r", - " \"victims_max_exploit\": {\r", - " \"title\": \"Max victims to exploit\",\r", - " \"type\": \"integer\",\r" - ] - } - ] - } + "task": { + "dod": "Make the max victim number that Monkey will find before stopping configurable by the user instead of constant.", + "tests": [], + "hints": [ + "Look for `victims_max_exploit` - it's rather similar." + ] }, - "app_version": "0.3.5-1", - "file_version": "1.0.4", - "last_commit_sha_for_swimm_patch": "17ee823b086f0b027612e2d1864930d2c5593c3e" -} \ No newline at end of file + "content": [ + { + "type": "text", + "text": "# Make something configurable\n\nIn this unit, you will learn how to add a configuration option to Monkey and how to use it in the Monkey Agent code. \n\n![computer fire](https://media.giphy.com/media/7J4P7cUur2DlErijp3/giphy.gif \"computer fire\")\n\n## Why is this important?\n\nEnabling users to configure the Monkey's behaviour gives them a lot more freedom in how they want to use the Monkey and enables more use cases.\n\n## What is \"Max victims to find\"?\n\nThe Monkey has a function which finds \"victim\" machines on the network for the Monkey to try and exploit. It's called `get_victim_machines`. This function accepts an argument which limits how many machines the Monkey should find.\n\nWe want to make that value editable by the user instead of constant in the code.\n\n## Manual testing\n\n1. After you've performed the required changes, reload the Server and check your value exists in the Internal tab of the config (see image).\n\n![](https://i.imgur.com/e0XAxuV.png)\n\n2. Set the new value to 1, and run Monkey locally (from source). See that the Monkey only scans one machine." + }, + { + "type": "snippet", + "path": "monkey/infection_monkey/config.py", + "comments": [], + "firstLineNumber": 126, + "lines": [ + " exploiter_classes = []", + " system_info_collector_classes = []", + " ", + "* # how many victims to look for in a single scan iteration\r", + "* victims_max_find = 100\r", + " ", + " # how many victims to exploit before stopping", + " victims_max_exploit = 100" + ] + }, + { + "type": "snippet", + "path": "monkey/infection_monkey/monkey.py", + "comments": [], + "firstLineNumber": 159, + "lines": [ + " ", + " if not self._keep_running or not WormConfiguration.alive:", + " break", + "*", + "* machines = self._network.get_victim_machines(", + "* max_find=WormConfiguration.victims_max_find,", + "* stop_callback=ControlClient.check_for_stop,", + "* )", + " is_empty = True", + " for machine in machines:", + " if ControlClient.check_for_stop():" + ] + }, + { + "type": "snippet", + "path": "monkey/monkey_island/cc/services/config_schema/internal.py", + "comments": [], + "firstLineNumber": 39, + "lines": [ + " \"title\": \"Monkey\",", + " \"type\": \"object\",", + " \"properties\": {", + "* \"victims_max_find\": {", + "* \"title\": \"Max victims to find\",", + "* \"type\": \"integer\",", + "* \"default\": 100,", + "* \"description\": \"Determines the maximum number of machines the monkey is allowed to scan\",", + "* },", + " \"victims_max_exploit\": {", + " \"title\": \"Max victims to exploit\",", + " \"type\": \"integer\"," + ] + }, + { + "type": "text", + "text": "* When changing config schema by adding or deleting keys, you need to update the Blackbox Test configurations as well [here](https://github.com/guardicore/monkey/tree/develop/envs/monkey_zoo/blackbox/island_configs)." + } + ], + "symbols": {}, + "file_version": "2.0.1", + "meta": { + "app_version": "0.4.1-1", + "file_blobs": { + "monkey/infection_monkey/config.py": "7aeaccee2a663d2b69d62d4692acc2aa24e2d1f7", + "monkey/infection_monkey/monkey.py": "7123d8b9ef8c02870534bdf0008df1245bb1392a", + "monkey/monkey_island/cc/services/config_schema/internal.py": "890e74efab70c4610f4a17cc531e09e5afcb5368" + } + } +} From 874a88ced09a448c079fddcbadf9bb7d1b80564c Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 06:49:30 -0400 Subject: [PATCH 02/13] Swimm: update exercise Add a new System Info Collector (id: OwcKMnALpn7tuBaJY1US). --- .swm/OwcKMnALpn7tuBaJY1US.swm | 93 +++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 42 deletions(-) diff --git a/.swm/OwcKMnALpn7tuBaJY1US.swm b/.swm/OwcKMnALpn7tuBaJY1US.swm index 0640f1c37..1f1b0ace0 100644 --- a/.swm/OwcKMnALpn7tuBaJY1US.swm +++ b/.swm/OwcKMnALpn7tuBaJY1US.swm @@ -58,38 +58,36 @@ "type": "snippet", "path": "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py", "comments": [], - "firstLineNumber": 1, + "firstLineNumber": 4, "lines": [ - " from common.common_consts.system_info_collectors_names import (AWS_COLLECTOR, AZURE_CRED_COLLECTOR,\r", - "* ENVIRONMENT_COLLECTOR, HOSTNAME_COLLECTOR,\r", - " MIMIKATZ_COLLECTOR, PROCESS_LIST_COLLECTOR)\r", - " \r", - " SYSTEM_INFO_COLLECTOR_CLASSES = {\r" + " ENVIRONMENT_COLLECTOR,", + "* HOSTNAME_COLLECTOR,", + " MIMIKATZ_COLLECTOR,", + " PROCESS_LIST_COLLECTOR,", + " )" ] }, { "type": "snippet", "path": "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py", "comments": [], - "firstLineNumber": 37, + "firstLineNumber": 36, "lines": [ " \"info\": \"If on AWS, collects more information about the AWS instance currently running on.\",", - " \"attack_techniques\": [\"T1082\"]", + " \"attack_techniques\": [\"T1082\"],", " },", "* {", "+ # SWIMMER: Collector config goes here. Tip: Hostname collection relates to the T1082 and T1016 techniques.", "* \"type\": \"string\",", - "* \"enum\": [", - "* HOSTNAME_COLLECTOR", - "* ],", + "* \"enum\": [HOSTNAME_COLLECTOR],", "* \"title\": \"Hostname collector\",", "* \"safe\": True,", "* \"info\": \"Collects machine's hostname.\",", - "* \"attack_techniques\": [\"T1082\", \"T1016\"]", + "* \"attack_techniques\": [\"T1082\", \"T1016\"],", "* },", " {", " \"type\": \"string\",", - " \"enum\": [" + " \"enum\": [PROCESS_LIST_COLLECTOR]," ] }, { @@ -98,20 +96,20 @@ "comments": [], "firstLineNumber": 1, "lines": [ - " from common.common_consts.system_info_collectors_names import (AWS_COLLECTOR, AZURE_CRED_COLLECTOR,", - " ENVIRONMENT_COLLECTOR, HOSTNAME_COLLECTOR,", - " MIMIKATZ_COLLECTOR, PROCESS_LIST_COLLECTOR)", + " from common.common_consts.system_info_collectors_names import (", + " AWS_COLLECTOR,", + " AZURE_CRED_COLLECTOR,", "* HOSTNAME_COLLECTOR,", - " MONKEY = {", - " \"title\": \"Monkey\",", - " \"type\": \"object\"," + " HOSTNAME_COLLECTOR,", + " MIMIKATZ_COLLECTOR,", + " PROCESS_LIST_COLLECTOR," ] }, { "type": "snippet", "path": "monkey/monkey_island/cc/services/config_schema/monkey.py", "comments": [], - "firstLineNumber": 85, + "firstLineNumber": 92, "lines": [ " \"default\": [", " ENVIRONMENT_COLLECTOR,", @@ -119,7 +117,7 @@ "* HOSTNAME_COLLECTOR,", " PROCESS_LIST_COLLECTOR,", " MIMIKATZ_COLLECTOR,", - " AZURE_CRED_COLLECTOR" + " AZURE_CRED_COLLECTOR," ] }, { @@ -148,26 +146,26 @@ "comments": [], "firstLineNumber": 1, "lines": [ - " import logging\r", - " import typing\r", - " \r", - "*from common.common_consts.system_info_collectors_names import (AWS_COLLECTOR, ENVIRONMENT_COLLECTOR, HOSTNAME_COLLECTOR,\r", - " PROCESS_LIST_COLLECTOR)\r", - " from monkey_island.cc.services.telemetry.processing.system_info_collectors.aws import process_aws_telemetry\r", - " from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import \\\r" + " import logging", + " import typing", + " ", + "*from common.common_consts.system_info_collectors_names import (", + " AWS_COLLECTOR,", + " ENVIRONMENT_COLLECTOR,", + " HOSTNAME_COLLECTOR," ] }, { "type": "snippet", "path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py", "comments": [], - "firstLineNumber": 14, + "firstLineNumber": 25, "lines": [ " SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS = {", " AWS_COLLECTOR: [process_aws_telemetry],", " ENVIRONMENT_COLLECTOR: [process_environment_telemetry],", "* HOSTNAME_COLLECTOR: [process_hostname_telemetry],", - " PROCESS_LIST_COLLECTOR: [check_antivirus_existence]", + " PROCESS_LIST_COLLECTOR: [check_antivirus_existence],", " }", " " ] @@ -175,15 +173,18 @@ { "type": "snippet", "lines": [ - " from monkey_island.cc.services.telemetry.processing.system_info_collectors.aws import process_aws_telemetry\r", - " from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import \\\r", - " process_environment_telemetry\r", - "*from monkey_island.cc.services.telemetry.processing.system_info_collectors.hostname import process_hostname_telemetry\r", - " from monkey_island.cc.services.telemetry.zero_trust_checks.antivirus_existence import check_antivirus_existence\r", - " \r", - " logger = logging.getLogger(__name__)\r" + " )", + " from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import (", + " process_environment_telemetry,", + "*)", + "*from monkey_island.cc.services.telemetry.processing.system_info_collectors.hostname import (", + "* process_hostname_telemetry,", + "*)", + " from monkey_island.cc.services.telemetry.zero_trust_checks.antivirus_existence import (", + " check_antivirus_existence,", + " )" ], - "firstLineNumber": 6, + "firstLineNumber": 12, "path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py", "comments": [] }, @@ -192,9 +193,17 @@ "text": "System info collectors are useful to get more data for various things, such as ZT tests or MITRE techniques. Take a look at some other techniques!" } ], - "file_version": "2.0.0", + "symbols": {}, + "file_version": "2.0.1", "meta": { - "app_version": "0.3.7-0", - "file_blobs": {} + "app_version": "0.4.1-1", + "file_blobs": { + "monkey/common/common_consts/system_info_collectors_names.py": "c93cb2537ca94c9e46980d0cd06cc86a0ab34e29", + "monkey/infection_monkey/system_info/collectors/hostname_collector.py": "0aeecd9fb7bde83cccd4501ec03e0da199ec5fc3", + "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py": "487166ec6f6d0559abd07e04d72fe55f230fc518", + "monkey/monkey_island/cc/services/config_schema/monkey.py": "0d69c5aa4fee48943f7847048942d257d27c2472", + "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/hostname.py": "e2de4519cbd71bba70e81cf3ff61817437d95a21", + "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py": "894bdce75f0ae2b892bd5b3c6c70949be52b36e7" + } } -} \ No newline at end of file +} From c1950aa4ffa72c41a0b0925a674b3a1257c5550a Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 06:52:05 -0400 Subject: [PATCH 03/13] Swimm: update exercise Add a simple Post Breach action (id: tbxb2cGgUiJQ8Btma0fp). --- .swm/tbxb2cGgUiJQ8Btma0fp.swm | 56 +++++++++++++++++------------------ 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm index 255e44a9b..c6d72185d 100644 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm @@ -37,20 +37,19 @@ "lines": [ "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER", "*from infection_monkey.config import WormConfiguration", - " from infection_monkey.post_breach.pba import PBA", - " from infection_monkey.utils.users import get_commands_to_add_user", - " ", - " ", - " class BackdoorUser(PBA):", - " def __init__(self):", + "*from infection_monkey.post_breach.pba import PBA", + "*from infection_monkey.utils.users import get_commands_to_add_user", + "*", + "*", + "*class BackdoorUser(PBA):", + "* def __init__(self):", "* linux_cmds, windows_cmds = get_commands_to_add_user(", - "+ pass # Swimmer: Impl here!", - "* WormConfiguration.user_to_add,", - "* WormConfiguration.remote_user_pass)", + "* WormConfiguration.user_to_add, WormConfiguration.remote_user_pass", + "* )", "* super(BackdoorUser, self).__init__(", - "* POST_BREACH_BACKDOOR_USER,", - "* linux_cmd=' '.join(linux_cmds),", - "* windows_cmd=windows_cmds)" + "* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds", + "* )", + "*" ] }, { @@ -59,17 +58,17 @@ "comments": [], "firstLineNumber": 1, "lines": [ - "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER\r", - " from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique\r", - " \r", - " __author__ = \"shreyamalviya\"\r" + "*from common.common_consts.post_breach_consts import (", + " POST_BREACH_BACKDOOR_USER,", + " POST_BREACH_COMMUNICATE_AS_NEW_USER,", + " )" ] }, { "type": "snippet", "path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py", "comments": [], - "firstLineNumber": 9, + "firstLineNumber": 12, "lines": [ " unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"", " scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"", @@ -84,23 +83,21 @@ "comments": [], "firstLineNumber": 4, "lines": [ - " \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",", + " \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",", " \"type\": \"string\",", " \"anyOf\": [", "* {", "+ # Swimmer: Add new PBA here to config!", "* \"type\": \"string\",", - "* \"enum\": [", - "* \"BackdoorUser\"", - "* ],", + "* \"enum\": [\"BackdoorUser\"],", "* \"title\": \"Back door user\",", "* \"safe\": True,", "* \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",", - "* \"attack_techniques\": [\"T1136\"]", + "* \"attack_techniques\": [\"T1136\"],", "* },", " {", " \"type\": \"string\",", - " \"enum\": [" + " \"enum\": [\"CommunicateAsNewUser\"]," ] }, { @@ -108,14 +105,15 @@ "text": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... " } ], - "file_version": "2.0.0", + "symbols": {}, + "file_version": "2.0.1", "meta": { - "app_version": "0.3.7-0", + "app_version": "0.4.1-1", "file_blobs": { "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3", - "monkey/infection_monkey/post_breach/actions/add_user.py": "a85845840d9cb37529ad367e159cd9001929e759", - "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "d9d86e08ea4aeb0a6bee3f483e4fea50ee6cd200", - "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "857e80da477ab31dbc00ed0a3f1cd49b69b505fa" + "monkey/infection_monkey/post_breach/actions/add_user.py": "cae5a2428fa01b333a2e70365c9da1e189e31bc4", + "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee", + "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "ea9b18aba7f71da12c9c82ac39d8a0cf2c472a9c" } } -} \ No newline at end of file +} From 5c4214e60a8932466a328cdc3d99bf4494311db1 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 06:52:35 -0400 Subject: [PATCH 04/13] Swimm: update exercise Add details about your new PBA (id: JFXftJml8DpmuCPBA9rL). --- .swm/JFXftJml8DpmuCPBA9rL.swm | 96 +++++++++++++++++------------------ 1 file changed, 47 insertions(+), 49 deletions(-) diff --git a/.swm/JFXftJml8DpmuCPBA9rL.swm b/.swm/JFXftJml8DpmuCPBA9rL.swm index d0206a862..925e662f9 100644 --- a/.swm/JFXftJml8DpmuCPBA9rL.swm +++ b/.swm/JFXftJml8DpmuCPBA9rL.swm @@ -1,54 +1,52 @@ { "id": "JFXftJml8DpmuCPBA9rL", "name": "Add details about your new PBA", - "dod": "You should add your new PBA's details to the configuration.", - "description": "In order to make sure that the new `ScheduleJobs` PBA is shown in the configuration on the Monkey Island, you need to add its details to the configuration file(s).

\n\nSince this particular PBA is related to the MITRE techniques [T1168](https://attack.mitre.org/techniques/T1168) and [T1053](https://attack.mitre.org/techniques/T1053), make sure to link the PBA with these techniques in the configuration as well.

\n\nEach part of the configuration has an important role \n- *enum* — contains the relevant PBA's class name(s)\n- *title* — holds the name of the PBA which is displayed in the configuration on the Monkey Island\n- *info* — consists of an elaboration on the PBA's working which is displayed in the configuration on the Monkey Island\n- *attack_techniques* — has the IDs of the MITRE techniques associated with the PBA\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- You should be able to see your new PBA under the \"Monkey\" tab in the configuration, along with its information when you click on it\n- Further, when you enable/disable the associated MITRE techniques under the ATT&CK tab in the configuration, the PBA should also be enabled/disabled\n\n", - "summary": "- The PBA details in this file are reflected on the Monkey Island in the PBA configuration.\n- PBAs are also linked to the relevant MITRE techniques in this file, whose results can then be seen in the MITRE ATT&CK report on the Monkey Island.", - "hunksOrder": [ - "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py_0" - ], - "tests": [], - "hints": [ - "Have a look at the details of the other techniques." - ], - "play_mode": "all", - "swimmPatch": { - "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": { - "diffType": "MODIFIED", - "fileDiffHeader": "diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py\nindex f1fe0f6f..b231f96c 100644\n--- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py\n+++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py", - "hunks": [ - { - "swimmHunkMetadata": { - "hunkComments": [] - }, - "hunkDiffLines": [ - "@@ -68,16 +68,7 @@", - " \"Removes the file afterwards.\",", - " \"attack_techniques\": [\"T1166\"]", - " },", - "- {", - "+ # Swimmer: ADD DETAILS HERE!", - "- \"type\": \"string\",", - "- \"enum\": [", - "- \"ScheduleJobs\"", - "- ],", - "- \"title\": \"Job scheduling\",", - "- \"safe\": True,", - "- \"info\": \"Attempts to create a scheduled job on the system and remove it.\",", - "- \"attack_techniques\": [\"T1168\", \"T1053\"]", - "- },", - " {", - " \"type\": \"string\",", - " \"enum\": [" - ] - } - ] - } + "task": { + "dod": "You should add your new PBA's details to the configuration.", + "tests": [], + "hints": [ + "Have a look at the details of the other techniques." + ] }, - "app_version": "0.3.5-1", - "file_version": "1.0.4", - "hunksOrder": [ - "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py_0" + "content": [ + { + "type": "text", + "text": "In order to make sure that the new `ScheduleJobs` PBA is shown in the configuration on the Monkey Island, you need to add its details to the configuration file(s).

\n\nSince this particular PBA is related to the MITRE techniques [T1168](https://attack.mitre.org/techniques/T1168) and [T1053](https://attack.mitre.org/techniques/T1053), make sure to link the PBA with these techniques in the configuration as well.

\n\nEach part of the configuration has an important role \n- *enum* — contains the relevant PBA's class name(s)\n- *title* — holds the name of the PBA which is displayed in the configuration on the Monkey Island\n- *info* — consists of an elaboration on the PBA's working which is displayed in the configuration on the Monkey Island\n- *attack_techniques* — has the IDs of the MITRE techniques associated with the PBA\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- You should be able to see your new PBA under the \"Monkey\" tab in the configuration, along with its information when you click on it\n- Further, when you enable/disable the associated MITRE techniques under the ATT&CK tab in the configuration, the PBA should also be enabled/disabled\n\n" + }, + { + "type": "snippet", + "path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py", + "comments": [], + "firstLineNumber": 56, + "lines": [ + " \"Removes the file afterwards.\",", + " \"attack_techniques\": [\"T1166\"],", + " },", + "* {", + "+ # Swimmer: ADD DETAILS HERE!", + "* \"type\": \"string\",", + "* \"enum\": [\"ScheduleJobs\"],", + "* \"title\": \"Job scheduling\",", + "* \"safe\": True,", + "* \"info\": \"Attempts to create a scheduled job on the system and remove it.\",", + "* \"attack_techniques\": [\"T1168\", \"T1053\"],", + "* },", + " {", + " \"type\": \"string\",", + " \"enum\": [\"Timestomping\"]," + ] + }, + { + "type": "text", + "text": "- The PBA details in this file are reflected on the Monkey Island in the PBA configuration.\n- PBAs are also linked to the relevant MITRE techniques in this file, whose results can then be seen in the MITRE ATT&CK report on the Monkey Island." + } ], - "last_commit_sha_for_swimm_patch": "9d9e8168fb2c23367b9947273aa1a041687b3e2e" -} \ No newline at end of file + "symbols": {}, + "file_version": "2.0.1", + "meta": { + "app_version": "0.4.1-1", + "file_blobs": { + "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "ea9b18aba7f71da12c9c82ac39d8a0cf2c472a9c" + } + } +} From 7cb92a7e13a0a68b58628596b53be8dbf3fc8ed4 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 06:52:50 -0400 Subject: [PATCH 05/13] =?UTF-8?q?Swimm:=20update=20exercise=20Implement=20?= =?UTF-8?q?a=20new=20PBA=20=E2=80=94=20=20=20(id:=20VW4rf3AxRslfT7lwaug7).?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .swm/VW4rf3AxRslfT7lwaug7.swm | 94 ++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 46 deletions(-) diff --git a/.swm/VW4rf3AxRslfT7lwaug7.swm b/.swm/VW4rf3AxRslfT7lwaug7.swm index 7af1a816c..d379af8ce 100644 --- a/.swm/VW4rf3AxRslfT7lwaug7.swm +++ b/.swm/VW4rf3AxRslfT7lwaug7.swm @@ -1,51 +1,53 @@ { "id": "VW4rf3AxRslfT7lwaug7", "name": "Implement a new PBA — `ScheduleJobs`", - "dod": "You should implement a new PBA in Monkey which schedules jobs on the machine.", - "description": "You need to implement the `ScheduleJobs` PBA which creates scheduled jobs on the machine.

\n

\nThe commands that add scheduled jobs for Windows and Linux can be retrieved from `get_commands_to_schedule_jobs` — make sure you understand how to use this function correctly.\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- Make sure the \"Job scheduling\" PBA is enabled in the \"Monkey\" tab in the configuration — for this test, disable network scanning, exploiting, and all other PBAs\n- Run the Monkey\n- Make sure you see the PBA with its results in the Security report as well as in the ATT&CK report under the relevant MITRE technique\n\n\n

\n", - "summary": "Many other PBAs are as simple as this one, using shell commands or scripts — see `Timestomping` and `AccountDiscovery`.

\n\nHowever, for less straightforward ones, you can override functions and implement new classes depending on what is required — see `SignedScriptProxyExecution` and `ModifyShellStartupFiles`.

\n\nThis PBA, along with all the other PBAs, will run on a system after it has been breached. The purpose of this code is to test whether target systems allow attackers to schedule jobs, which they could use to run malicious code at some specified date and time.", - "hunksOrder": [ - "monkey/infection_monkey/post_breach/actions/schedule_jobs.py_0" - ], - "tests": [], - "hints": [ - "Check out the `Timestomping` PBA to get an idea about the implementation.", - "Don't forget to add code to remove the scheduled jobs!" - ], - "play_mode": "all", - "swimmPatch": { - "monkey/infection_monkey/post_breach/actions/schedule_jobs.py": { - "diffType": "MODIFIED", - "fileDiffHeader": "diff --git a/monkey/infection_monkey/post_breach/actions/schedule_jobs.py b/monkey/infection_monkey/post_breach/actions/schedule_jobs.py\nindex f7d8d805..06839463 100644\n--- a/monkey/infection_monkey/post_breach/actions/schedule_jobs.py\n+++ b/monkey/infection_monkey/post_breach/actions/schedule_jobs.py", - "hunks": [ - { - "swimmHunkMetadata": { - "hunkComments": [] - }, - "hunkDiffLines": [ - "@@ -10,11 +10,5 @@", - " \"\"\"", - " ", - " def __init__(self):", - "- linux_cmds, windows_cmds = get_commands_to_schedule_jobs()", - "+ pass", - "-", - "+ # Swimmer: IMPLEMENT HERE!", - "- super(ScheduleJobs, self).__init__(name=POST_BREACH_JOB_SCHEDULING,", - "- linux_cmd=' '.join(linux_cmds),", - "- windows_cmd=windows_cmds)", - "- ", - "- def run(self):", - "- super(ScheduleJobs, self).run()" - ] - } - ] - } + "task": { + "dod": "You should implement a new PBA in Monkey which schedules jobs on the machine.", + "tests": [], + "hints": [ + "Check out the `Timestomping` PBA to get an idea about the implementation.", + "Don't forget to add code to remove the scheduled jobs!" + ] }, - "app_version": "0.3.5-1", - "file_version": "1.0.4", - "hunksOrder": [ - "monkey/infection_monkey/post_breach/actions/schedule_jobs.py_0" + "content": [ + { + "type": "text", + "text": "You need to implement the `ScheduleJobs` PBA which creates scheduled jobs on the machine.

\n

\nThe commands that add scheduled jobs for Windows and Linux can be retrieved from `get_commands_to_schedule_jobs` — make sure you understand how to use this function correctly.\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- Make sure the \"Job scheduling\" PBA is enabled in the \"Monkey\" tab in the configuration — for this test, disable network scanning, exploiting, and all other PBAs\n- Run the Monkey\n- Make sure you see the PBA with its results in the Security report as well as in the ATT&CK report under the relevant MITRE technique\n\n\n

\n" + }, + { + "type": "snippet", + "path": "monkey/infection_monkey/post_breach/actions/schedule_jobs.py", + "comments": [], + "firstLineNumber": 12, + "lines": [ + " \"\"\"", + " ", + " def __init__(self):", + "* linux_cmds, windows_cmds = get_commands_to_schedule_jobs()", + "+ pass", + "*", + "+ # Swimmer: IMPLEMENT HERE!", + "* super(ScheduleJobs, self).__init__(", + "* name=POST_BREACH_JOB_SCHEDULING,", + "* linux_cmd=\" \".join(linux_cmds),", + "* windows_cmd=windows_cmds,", + "* )", + "*", + "* def run(self):", + "* super(ScheduleJobs, self).run()" + ] + }, + { + "type": "text", + "text": "Many other PBAs are as simple as this one, using shell commands or scripts — see `Timestomping` and `AccountDiscovery`.

\n\nHowever, for less straightforward ones, you can override functions and implement new classes depending on what is required — see `SignedScriptProxyExecution` and `ModifyShellStartupFiles`.

\n\nThis PBA, along with all the other PBAs, will run on a system after it has been breached. The purpose of this code is to test whether target systems allow attackers to schedule jobs, which they could use to run malicious code at some specified date and time." + } ], - "last_commit_sha_for_swimm_patch": "44fd1ab69cfbab33cec638dcbbaa8831992a9a9f" -} \ No newline at end of file + "symbols": {}, + "file_version": "2.0.1", + "meta": { + "app_version": "0.4.1-1", + "file_blobs": { + "monkey/infection_monkey/post_breach/actions/schedule_jobs.py": "e7845968a0c27d2eba71a8889645fe88491cb2a8" + } + } +} From 1414d132d3ce2fd40b9d99a2125ea32ed91fa23c Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 06:56:10 -0400 Subject: [PATCH 06/13] ci: Add swimm verify back to travis.yml This reverts commit 4aa9a14f1326229678beadbae47af3e6c61ca5ca. --- .travis.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.travis.yml b/.travis.yml index 6ea44a971..add9d6f03 100644 --- a/.travis.yml +++ b/.travis.yml @@ -78,6 +78,14 @@ script: - cd $TRAVIS_BUILD_DIR/docs - hugo --verbose --environment staging +# verify swimm +- cd $TRAVIS_BUILD_DIR +- wget "https://firebasestorage.googleapis.com/v0/b/swimmio.appspot.com/o/Release%2Fv029%2FSwimm_0.2.9_Setup.deb?alt=media&token=774ebd98-cb4e-4615-900c-aada224c1608" -O swimm +- sudo dpkg -i swimm || (sudo apt-get update && sudo apt-get -f install) +- chmod +x ./swimm +- swimm --version +- swimm verify + after_success: # Upload code coverage results to codecov.io, see https://github.com/codecov/codecov-bash for more information - bash <(curl -s https://codecov.io/bash) From cd59e9ba1a412db33af334c8ee4d28ca3015284e Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 19 Feb 2021 16:51:29 +0200 Subject: [PATCH 07/13] Updated travis script to use the latest swimm version. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index add9d6f03..3e3adaa5c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -80,7 +80,7 @@ script: # verify swimm - cd $TRAVIS_BUILD_DIR -- wget "https://firebasestorage.googleapis.com/v0/b/swimmio.appspot.com/o/Release%2Fv029%2FSwimm_0.2.9_Setup.deb?alt=media&token=774ebd98-cb4e-4615-900c-aada224c1608" -O swimm +- wget "https://github.com/swimmio/SwimmReleases/releases/download/v0.3.7-0/Swimm_0.3.7-0_Setup.deb" -O swimm - sudo dpkg -i swimm || (sudo apt-get update && sudo apt-get -f install) - chmod +x ./swimm - swimm --version From f22fc8e37e05573030275df29082120d1410ff79 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 7 Apr 2021 07:16:57 -0400 Subject: [PATCH 08/13] ci: use swimm version 0.4.1 in travis.yml --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3e3adaa5c..80b17df46 100644 --- a/.travis.yml +++ b/.travis.yml @@ -80,7 +80,7 @@ script: # verify swimm - cd $TRAVIS_BUILD_DIR -- wget "https://github.com/swimmio/SwimmReleases/releases/download/v0.3.7-0/Swimm_0.3.7-0_Setup.deb" -O swimm +- wget "https://github.com/swimmio/SwimmReleases/releases/download/v0.4.1-0/Swimm_0.4.1-0_Setup.deb" -O swimm - sudo dpkg -i swimm || (sudo apt-get update && sudo apt-get -f install) - chmod +x ./swimm - swimm --version From 0fa7c41cf319f168f292b25f1139ce76d9c7bb3d Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 8 Apr 2021 16:39:29 +0530 Subject: [PATCH 09/13] Modify Swimm unit: Add a new configuration setting to the Agent Fixed a link --- .swm/AzD8XysWg1BBXCjCDkfq.swm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.swm/AzD8XysWg1BBXCjCDkfq.swm b/.swm/AzD8XysWg1BBXCjCDkfq.swm index a798922f0..eb0339fa3 100644 --- a/.swm/AzD8XysWg1BBXCjCDkfq.swm +++ b/.swm/AzD8XysWg1BBXCjCDkfq.swm @@ -70,7 +70,7 @@ }, { "type": "text", - "text": "* When changing config schema by adding or deleting keys, you need to update the Blackbox Test configurations as well [here](https://github.com/guardicore/monkey/tree/develop/envs/monkey_zoo/blackbox/island_configs)." + "text": "* When changing config schema by adding or deleting keys, you need to update the Blackbox Test configurations as well [here](https://github.com/guardicore/monkey/tree/develop/envs/monkey_zoo/blackbox/config_templates)." } ], "symbols": {}, From f60f38d14df0937e73febea247c66c81bbdc6852 Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 8 Apr 2021 16:40:26 +0530 Subject: [PATCH 10/13] Fix Swimm unit: Add a new System Info Collector --- .swm/OwcKMnALpn7tuBaJY1US.swm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.swm/OwcKMnALpn7tuBaJY1US.swm b/.swm/OwcKMnALpn7tuBaJY1US.swm index 1f1b0ace0..059b74477 100644 --- a/.swm/OwcKMnALpn7tuBaJY1US.swm +++ b/.swm/OwcKMnALpn7tuBaJY1US.swm @@ -37,7 +37,7 @@ "firstLineNumber": 1, "lines": [ " import logging", - "*import socket", + " import socket", "*", "*from common.common_consts.system_info_collectors_names import HOSTNAME_COLLECTOR", "*from infection_monkey.system_info.system_info_collector import SystemInfoCollector", @@ -149,10 +149,10 @@ " import logging", " import typing", " ", - "*from common.common_consts.system_info_collectors_names import (", + " from common.common_consts.system_info_collectors_names import (", " AWS_COLLECTOR,", " ENVIRONMENT_COLLECTOR,", - " HOSTNAME_COLLECTOR," + "* HOSTNAME_COLLECTOR," ] }, { @@ -176,7 +176,7 @@ " )", " from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import (", " process_environment_telemetry,", - "*)", + " )", "*from monkey_island.cc.services.telemetry.processing.system_info_collectors.hostname import (", "* process_hostname_telemetry,", "*)", From e1ec0263a80ba712c26c82a34faeb56e4d42907e Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 8 Apr 2021 17:03:09 +0530 Subject: [PATCH 11/13] Fix Swimm unit: Add a simple Post Breach action --- .swm/tbxb2cGgUiJQ8Btma0fp.swm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm index c6d72185d..4450451e1 100644 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ b/.swm/tbxb2cGgUiJQ8Btma0fp.swm @@ -58,8 +58,8 @@ "comments": [], "firstLineNumber": 1, "lines": [ - "*from common.common_consts.post_breach_consts import (", - " POST_BREACH_BACKDOOR_USER,", + " from common.common_consts.post_breach_consts import (", + "* POST_BREACH_BACKDOOR_USER,", " POST_BREACH_COMMUNICATE_AS_NEW_USER,", " )" ] From 0f2ecc14cc22b5e088775e6f61650a335a4a188c Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 8 Apr 2021 17:08:41 +0530 Subject: [PATCH 12/13] =?UTF-8?q?Modify=20Swimm=20unit:=20Implement=20a=20?= =?UTF-8?q?new=20PBA=20=E2=80=94=20=20`ScheduleJobs`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .swm/VW4rf3AxRslfT7lwaug7.swm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.swm/VW4rf3AxRslfT7lwaug7.swm b/.swm/VW4rf3AxRslfT7lwaug7.swm index d379af8ce..79d9deb21 100644 --- a/.swm/VW4rf3AxRslfT7lwaug7.swm +++ b/.swm/VW4rf3AxRslfT7lwaug7.swm @@ -34,7 +34,8 @@ "* )", "*", "* def run(self):", - "* super(ScheduleJobs, self).run()" + "* super(ScheduleJobs, self).run()", + "* remove_scheduled_jobs()" ] }, { From 2f8441f1d58f2e187eb01321db4179bcbf798c5f Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 8 Apr 2021 17:12:10 +0530 Subject: [PATCH 13/13] Update travis script for swimm verify --- .travis.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 80b17df46..792c3b567 100644 --- a/.travis.yml +++ b/.travis.yml @@ -80,11 +80,10 @@ script: # verify swimm - cd $TRAVIS_BUILD_DIR -- wget "https://github.com/swimmio/SwimmReleases/releases/download/v0.4.1-0/Swimm_0.4.1-0_Setup.deb" -O swimm -- sudo dpkg -i swimm || (sudo apt-get update && sudo apt-get -f install) -- chmod +x ./swimm -- swimm --version -- swimm verify +- curl -s https://api.github.com/repos/swimmio/SwimmReleases/releases/latest | grep 'browser_download_url.*swimm-cli' | cut -d '"' -f 4 | wget -O swimm_cli -qi - +- chmod +x swimm_cli +- node swimm_cli --version +- node swimm_cli verify after_success: # Upload code coverage results to codecov.io, see https://github.com/codecov/codecov-bash for more information