From 7e293ac16d084e737d3d3fbde506f9f669616381 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Mon, 30 Aug 2021 10:54:23 +0200 Subject: [PATCH] Remove Backdoor user PBA --- .swm/tbxb2cGgUiJQ8Btma0fp.swm | 122 ------------------ .../common_consts/post_breach_consts.py | 1 - .../post_breach/actions/add_user.py | 18 --- monkey/infection_monkey/utils/users.py | 8 -- .../attack/technique_reports/T1136.py | 7 +- .../attack/technique_reports/pba_technique.py | 2 +- .../definitions/post_breach_actions.py | 8 -- .../cc/services/config_schema/monkey.py | 1 - .../monkey_config_standard.json | 1 - 9 files changed, 3 insertions(+), 165 deletions(-) delete mode 100644 .swm/tbxb2cGgUiJQ8Btma0fp.swm delete mode 100644 monkey/infection_monkey/post_breach/actions/add_user.py delete mode 100644 monkey/infection_monkey/utils/users.py diff --git a/.swm/tbxb2cGgUiJQ8Btma0fp.swm b/.swm/tbxb2cGgUiJQ8Btma0fp.swm deleted file mode 100644 index 50ad35ca0..000000000 --- a/.swm/tbxb2cGgUiJQ8Btma0fp.swm +++ /dev/null @@ -1,122 +0,0 @@ -{ - "id": "tbxb2cGgUiJQ8Btma0fp", - "name": "Add a simple Post Breach action", - "task": { - "dod": "You should add a new PBA to the Monkey which creates a new user on the machine.", - "tests": [], - "hints": [ - "See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands.", - "Make sure to add the PBA to the configuration as well.", - "MITRE ATT&CK technique T1136 articulates that adversaries may create an account to maintain access to victim systems, therefore, the BackdoorUser PBA is relevant to it. Make sure to map this PBA to the MITRE ATT&CK configuration and report." - ] - }, - "content": [ - { - "type": "text", - "text": "Read [our documentation about adding a new PBA](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/).\n\nAfter that we want you to add the BackdoorUser PBA. The commands that add users for Win and Linux can be retrieved from `get_commands_to_add_user` - make sure you see how to use this function correctly. \n\nNote that the PBA should impact the T1136 MITRE technique as well! \n\n# Manual test to confirm\n\n1. Run the Monkey Island\n2. Make sure your new PBA is enabled by default in the config - for this test, disable network scanning, exploiting, and all other PBAs\n3. Run Monkey\n4. See the PBA in the security report\n5, See the PBA in the MITRE report in the relevant technique\n" - }, - { - "type": "snippet", - "path": "monkey/common/common_consts/post_breach_consts.py", - "comments": [], - "firstLineNumber": 1, - "lines": [ - " POST_BREACH_COMMUNICATE_AS_NEW_USER = \"Communicate as new user\"", - "*POST_BREACH_BACKDOOR_USER = \"Backdoor user\"", - "+# Swimmer: PUT THE NEW CONST HERE!", - " POST_BREACH_FILE_EXECUTION = \"File execution\"", - " POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = \"Modify shell startup file\"", - " POST_BREACH_HIDDEN_FILES = \"Hide files and directories\"" - ] - }, - { - "type": "snippet", - "path": "monkey/infection_monkey/post_breach/actions/add_user.py", - "comments": [], - "firstLineNumber": 1, - "lines": [ - "*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER", - "*from infection_monkey.config import WormConfiguration", - "*from infection_monkey.post_breach.pba import PBA", - "*from infection_monkey.utils.random_password_generator import get_random_password", - "*from infection_monkey.utils.users import get_commands_to_add_user", - "*", - "*", - "*class BackdoorUser(PBA):", - "* def __init__(self):", - "* random_password = get_random_password()", - "*", - "* linux_cmds, windows_cmds = get_commands_to_add_user(", - "* WormConfiguration.user_to_add, random_password", - "* )", - "*", - "* super(BackdoorUser, self).__init__(", - "* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds", - "* )" - ] - }, - { - "type": "snippet", - "path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py", - "comments": [], - "firstLineNumber": 1, - "lines": [ - " from common.common_consts.post_breach_consts import (", - "* POST_BREACH_BACKDOOR_USER,", - " POST_BREACH_COMMUNICATE_AS_NEW_USER,", - " )" - ] - }, - { - "type": "snippet", - "path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py", - "comments": [], - "firstLineNumber": 12, - "lines": [ - " unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"", - " scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"", - " used_msg = \"Monkey created a new user on the network's systems.\"", - "* pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]", - "+ pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]" - ] - }, - { - "type": "snippet", - "path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py", - "comments": [], - "firstLineNumber": 5, - "lines": [ - " \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",", - " \"type\": \"string\",", - " \"anyOf\": [", - "* {", - "+ # Swimmer: Add new PBA here to config!", - "* \"type\": \"string\",", - "* \"enum\": [\"BackdoorUser\"],", - "* \"title\": \"Back door user\",", - "* \"safe\": True,", - "* \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",", - "* \"attack_techniques\": [\"T1136\"],", - "* },", - " {", - " \"type\": \"string\",", - " \"enum\": [\"CommunicateAsNewUser\"]," - ] - }, - { - "type": "text", - "text": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... " - } - ], - "symbols": {}, - "file_version": "2.0.1", - "meta": { - "app_version": "0.4.4-0", - "file_blobs": { - "monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3", - "monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8", - "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee", - "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c" - } - } -} diff --git a/monkey/common/common_consts/post_breach_consts.py b/monkey/common/common_consts/post_breach_consts.py index 25e6679cb..5198f0068 100644 --- a/monkey/common/common_consts/post_breach_consts.py +++ b/monkey/common/common_consts/post_breach_consts.py @@ -1,5 +1,4 @@ POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user" -POST_BREACH_BACKDOOR_USER = "Backdoor user" POST_BREACH_FILE_EXECUTION = "File execution" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file" POST_BREACH_HIDDEN_FILES = "Hide files and directories" diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py deleted file mode 100644 index 26b048a49..000000000 --- a/monkey/infection_monkey/post_breach/actions/add_user.py +++ /dev/null @@ -1,18 +0,0 @@ -from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER -from infection_monkey.config import WormConfiguration -from infection_monkey.post_breach.pba import PBA -from infection_monkey.utils.random_password_generator import get_random_password -from infection_monkey.utils.users import get_commands_to_add_user - - -class BackdoorUser(PBA): - def __init__(self): - random_password = get_random_password() - - linux_cmds, windows_cmds = get_commands_to_add_user( - WormConfiguration.user_to_add, random_password - ) - - super(BackdoorUser, self).__init__( - POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds - ) diff --git a/monkey/infection_monkey/utils/users.py b/monkey/infection_monkey/utils/users.py deleted file mode 100644 index b2f29db85..000000000 --- a/monkey/infection_monkey/utils/users.py +++ /dev/null @@ -1,8 +0,0 @@ -from infection_monkey.utils.linux.users import get_linux_commands_to_add_user -from infection_monkey.utils.windows.users import get_windows_commands_to_add_user - - -def get_commands_to_add_user(username, password): - linux_cmds = get_linux_commands_to_add_user(username) - windows_cmds = get_windows_commands_to_add_user(username, password) - return linux_cmds, windows_cmds diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py index ed5a820a5..9280200de 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py @@ -1,7 +1,4 @@ -from common.common_consts.post_breach_consts import ( - POST_BREACH_BACKDOOR_USER, - POST_BREACH_COMMUNICATE_AS_NEW_USER, -) +from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique @@ -10,4 +7,4 @@ class T1136(PostBreachTechnique): unscanned_msg = "Monkey didn't try creating a new user on the network's systems." scanned_msg = "Monkey tried creating a new user on the network's systems, but failed." used_msg = "Monkey created a new user on the network's systems." - pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER] + pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py index 5460caf4c..8a09027db 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py @@ -22,7 +22,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): """ :param post_breach_action_names: Names of post-breach actions with which the technique is associated - (example - `["Communicate as new user", "Backdoor user"]` for T1136) + (example - `["Communicate as new user"]` for T1136) :return: Mongo query that parses attack telemetries for a simple report component (gets machines and post-breach action usage). """ diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py index 086dc8569..a77a95709 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py @@ -5,14 +5,6 @@ POST_BREACH_ACTIONS = { "might do after breaching a new machine. Used in ATT&CK and Zero trust reports.", "type": "string", "anyOf": [ - { - "type": "string", - "enum": ["BackdoorUser"], - "title": "Back door user", - "safe": True, - "info": "Attempts to create a new user on the system and delete it afterwards.", - "attack_techniques": ["T1136"], - }, { "type": "string", "enum": ["CommunicateAsNewUser"], diff --git a/monkey/monkey_island/cc/services/config_schema/monkey.py b/monkey/monkey_island/cc/services/config_schema/monkey.py index e745da582..4bff861c1 100644 --- a/monkey/monkey_island/cc/services/config_schema/monkey.py +++ b/monkey/monkey_island/cc/services/config_schema/monkey.py @@ -67,7 +67,6 @@ MONKEY = { "uniqueItems": True, "items": {"$ref": "#/definitions/post_breach_actions"}, "default": [ - "BackdoorUser", "CommunicateAsNewUser", "ModifyShellStartupFiles", "HiddenFiles", diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index a18fb0adc..b34a76feb 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -175,7 +175,6 @@ "PBA_windows_filename": "", "PBA_linux_filename": "", "post_breach_actions": [ - "BackdoorUser", "CommunicateAsNewUser", "ModifyShellStartupFiles", "HiddenFiles",