forked from p15670423/monkey
Merge pull request #796 from shreyamalviya/T1099
Add T1099 attack technique (timestomping)
This commit is contained in:
Shreya Malviya
GitHub
commit
836647eadf
|
|
@ -6,6 +6,7 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories"
|
|||
POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
|
||||
POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
|
||||
POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
|
||||
POST_BREACH_TIMESTOMPING = "Modify files' timestamps"
|
||||
POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC = "Signed script proxy execution"
|
||||
POST_BREACH_ACCOUNT_DISCOVERY = "Account discovery"
|
||||
POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
from common.data.post_breach_consts import POST_BREACH_TIMESTOMPING
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.post_breach.timestomping.timestomping import \
|
||||
get_timestomping_commands
|
||||
|
||||
|
||||
class Timestomping(PBA):
|
||||
def __init__(self):
|
||||
linux_cmds, windows_cmds = get_timestomping_commands()
|
||||
super().__init__(POST_BREACH_TIMESTOMPING,
|
||||
linux_cmd=linux_cmds,
|
||||
windows_cmd=windows_cmds)
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
TEMP_FILE = 'monkey-timestomping-file.txt'
|
||||
TIMESTAMP_EPOCH = '197001010000.00'
|
||||
|
||||
|
||||
def get_linux_timestomping_commands():
|
||||
return [
|
||||
f'echo "Successfully changed a file\'s modification timestamp" > {TEMP_FILE} && '
|
||||
f'touch -m -t {TIMESTAMP_EPOCH} {TEMP_FILE} && '
|
||||
f'cat {TEMP_FILE} ; '
|
||||
f'rm {TEMP_FILE} -f'
|
||||
]
|
||||
|
||||
|
||||
# Commands' source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
from infection_monkey.post_breach.timestomping.linux.timestomping import \
|
||||
get_linux_timestomping_commands
|
||||
from infection_monkey.post_breach.timestomping.windows.timestomping import \
|
||||
get_windows_timestomping_commands
|
||||
|
||||
|
||||
def get_timestomping_commands():
|
||||
linux_cmds = get_linux_timestomping_commands()
|
||||
windows_cmds = get_windows_timestomping_commands()
|
||||
return linux_cmds, windows_cmds
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
$TEMP_FILE = 'monkey-timestomping-file.txt'
|
||||
$TIMESTAMP_EPOCH = '01/01/1970 00:00:00'
|
||||
|
||||
# create temporary file
|
||||
New-Item -Path $TEMP_FILE -Force | Out-Null
|
||||
Set-Content $TEMP_FILE -Value "Successfully changed a file's modification timestamp" -Force | Out-Null
|
||||
|
||||
# attempt to change modification timestamp
|
||||
Get-ChildItem $TEMP_FILE | % { $_.LastWriteTime = $TIMESTAMP_EPOCH }
|
||||
Get-Content $TEMP_FILE
|
||||
|
||||
# remove temporary file
|
||||
Remove-Item $TEMP_FILE -Force -ErrorAction Ignore
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
TEMP_FILE = 'monkey-timestomping-file.txt'
|
||||
|
||||
|
||||
def get_windows_timestomping_commands():
|
||||
return 'powershell.exe infection_monkey/post_breach/timestomping/windows/timestomping.ps1'
|
||||
|
||||
|
||||
# Commands' source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
|
||||
|
|
@ -11,16 +11,16 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005,
|
|||
T1065, T1075,
|
||||
T1082, T1086,
|
||||
T1087, T1090,
|
||||
T1105, T1106,
|
||||
T1107, T1110,
|
||||
T1129, T1136,
|
||||
T1145, T1146,
|
||||
T1154, T1156,
|
||||
T1158, T1166,
|
||||
T1168, T1188,
|
||||
T1197, T1210,
|
||||
T1216, T1222,
|
||||
T1504)
|
||||
T1099, T1105,
|
||||
T1106, T1107,
|
||||
T1110, T1129,
|
||||
T1136, T1145,
|
||||
T1146, T1154,
|
||||
T1156, T1158,
|
||||
T1166, T1168,
|
||||
T1188, T1197,
|
||||
T1210, T1216,
|
||||
T1222, T1504)
|
||||
from monkey_island.cc.services.reporting.report_generation_synchronisation import \
|
||||
safe_generate_attack_report
|
||||
|
||||
|
|
@ -60,6 +60,7 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
|||
'T1166': T1166.T1166,
|
||||
'T1168': T1168.T1168,
|
||||
'T1053': T1053.T1053,
|
||||
'T1099': T1099.T1099,
|
||||
'T1216': T1216.T1216,
|
||||
'T1087': T1087.T1087,
|
||||
'T1146': T1146.T1146
|
||||
|
|
|
|||
|
|
@ -195,6 +195,15 @@ SCHEMA = {
|
|||
"link": "https://attack.mitre.org/techniques/T1222",
|
||||
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
|
||||
},
|
||||
"T1099": {
|
||||
"title": "Timestomping",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1099",
|
||||
"description": "Adversaries may modify file time attributes to hide new/changes to existing "
|
||||
"files to avoid attention from forensic investigators or file analysis tools."
|
||||
},
|
||||
"T1216": {
|
||||
"title": "Signed script proxy execution",
|
||||
"type": "bool",
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
from common.data.post_breach_consts import POST_BREACH_TIMESTOMPING
|
||||
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
|
||||
PostBreachTechnique
|
||||
|
||||
__author__ = "shreyamalviya"
|
||||
|
||||
|
||||
class T1099(PostBreachTechnique):
|
||||
tech_id = "T1099"
|
||||
unscanned_msg = "Monkey didn't try changing any file's time attributes."
|
||||
scanned_msg = "Monkey tried changing a file's time attributes but failed."
|
||||
used_msg = "Monkey successfully changed a file's time attributes."
|
||||
pba_names = [POST_BREACH_TIMESTOMPING]
|
||||
|
|
@ -71,6 +71,15 @@ POST_BREACH_ACTIONS = {
|
|||
"info": "Attempts to create a scheduled job on the system and remove it.",
|
||||
"attack_techniques": ["T1168", "T1053"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"Timestomping"
|
||||
],
|
||||
"title": "Timestomping",
|
||||
"info": "Creates a temporary file and attempts to modify its time attributes. Removes the file afterwards.",
|
||||
"attack_techniques": ["T1099"]
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ MONKEY = {
|
|||
"TrapCommand",
|
||||
"ChangeSetuidSetgid",
|
||||
"ScheduleJobs",
|
||||
"Timestomping",
|
||||
"AccountDiscovery"
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -0,0 +1,45 @@
|
|||
import React from 'react';
|
||||
import ReactTable from 'react-table';
|
||||
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
|
||||
import MitigationsComponent from './MitigationsComponent';
|
||||
|
||||
class T1099 extends React.Component {
|
||||
|
||||
constructor(props) {
|
||||
super(props);
|
||||
}
|
||||
|
||||
static getColumns() {
|
||||
return ([{
|
||||
columns: [
|
||||
{ Header: 'Machine',
|
||||
id: 'machine',
|
||||
accessor: x => renderMachineFromSystemData(x.machine),
|
||||
style: {'whiteSpace': 'unset'}},
|
||||
{ Header: 'Result',
|
||||
id: 'result',
|
||||
accessor: x => x.result,
|
||||
style: {'whiteSpace': 'unset'}}
|
||||
]
|
||||
}])
|
||||
}
|
||||
|
||||
render() {
|
||||
return (
|
||||
<div>
|
||||
<div>{this.props.data.message}</div>
|
||||
<br/>
|
||||
{this.props.data.status === ScanStatus.USED ?
|
||||
<ReactTable
|
||||
columns={T1099.getColumns()}
|
||||
data={this.props.data.info}
|
||||
showPagination={false}
|
||||
defaultPageSize={this.props.data.info.length}
|
||||
/> : ''}
|
||||
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
export default T1099;
|
||||
Loading…
Reference in New Issue