Merge pull request #1815 from guardicore/1604-remove-pba-plugin-dependency

Remove PBA's Plugin dependency + add display_name to PostBreachData
This commit is contained in:
Shreya Malviya 2022-03-25 14:29:51 +05:30 committed by GitHub
commit 5bc961d715
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 32 deletions

View File

@ -34,7 +34,7 @@ class ExploiterResultData:
PingScanData = namedtuple("PingScanData", ["response_received", "os"])
PortScanData = namedtuple("PortScanData", ["port", "status", "banner", "service"])
FingerprintData = namedtuple("FingerprintData", ["os_type", "os_version", "services"])
PostBreachData = namedtuple("PostBreachData", ["command", "result"])
PostBreachData = namedtuple("PostBreachData", ["display_name", "command", "result"])
class IPuppet(metaclass=abc.ABCMeta):

View File

@ -195,14 +195,11 @@ class AutomatedMaster(IMaster):
logger.debug(f"No credentials were collected by {collector}")
def _run_pba(self, pba: Tuple[str, Dict]):
# TODO: This is the class's name right now. We need `display_name` (see the
# ProcessListCollection PBA). This is shown in the Security report as the PBA
# name and is checked against in the T1082's mongo query in the ATT&CK report.
name = pba[0]
options = pba[1]
command, result = self._puppet.run_pba(name, options)
self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result))
display_name, command, result = self._puppet.run_pba(name, options)
self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
def _can_propagate(self) -> bool:
return True

View File

@ -50,12 +50,12 @@ class MockMaster(IMaster):
logger.info("Running post breach actions")
name = "AccountDiscovery"
command, result = self._puppet.run_pba(name, {})
self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result))
display_name, command, result = self._puppet.run_pba(name, {})
self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
name = "CommunicateAsBackdoorUser"
command, result = self._puppet.run_pba(name, {})
self._telemetry_messenger.send_telemetry(PostBreachTelem(name, command, result))
display_name, command, result = self._puppet.run_pba(name, {})
self._telemetry_messenger.send_telemetry(PostBreachTelem(display_name, command, result))
logger.info("Finished running post breach actions")
def _scan_victims(self):

View File

@ -1,31 +1,20 @@
import logging
import subprocess
import infection_monkey.post_breach.actions
from common.utils.attack_utils import ScanStatus
from infection_monkey.config import WormConfiguration
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
from infection_monkey.utils.environment import is_windows_os
from infection_monkey.utils.plugins.plugin import Plugin
logger = logging.getLogger(__name__)
class PBA(Plugin):
class PBA:
"""
Post breach action object. Can be extended to support more than command execution on target
machine.
"""
@staticmethod
def base_package_name():
return infection_monkey.post_breach.actions.__package__
@staticmethod
def base_package_file():
return infection_monkey.post_breach.actions.__file__
def __init__(self, name="unknown", linux_cmd="", windows_cmd=""):
"""
:param name: Name of post breach action.
@ -35,14 +24,6 @@ class PBA(Plugin):
self.command = PBA.choose_command(linux_cmd, windows_cmd)
self.name = name
@staticmethod
def should_run(class_name):
"""
Decides if post breach action is enabled in config
:return: True if it needs to be ran, false otherwise
"""
return class_name in WormConfiguration.post_breach_actions
def run(self):
"""
Runs post breach action command

View File

@ -53,9 +53,9 @@ class MockPuppet(IPuppet):
logger.debug(f"run_pba({name}, {options})")
if name == "AccountDiscovery":
return PostBreachData("pba command 1", ["pba result 1", True])
return PostBreachData(name, "pba command 1", ["pba result 1", True])
else:
return PostBreachData("pba command 2", ["pba result 2", False])
return PostBreachData(name, "pba command 2", ["pba result 2", False])
def ping(self, host: str, timeout: float = 1) -> PingScanData:
logger.debug(f"run_ping({host}, {timeout})")