From 1ef884ae4e646e6c3a47c8f685e3f8cd4a431ea4 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 23 Aug 2021 09:43:46 -0400 Subject: [PATCH 1/4] Agent: Add pyinstaller hook for post_breach package --- .../pyinstaller_hooks/hook-infection_monkey.post_breach.py | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.py diff --git a/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.py b/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.py new file mode 100644 index 000000000..1deab1ee4 --- /dev/null +++ b/monkey/infection_monkey/pyinstaller_hooks/hook-infection_monkey.post_breach.py @@ -0,0 +1,3 @@ +from PyInstaller.utils.hooks import collect_data_files + +datas = collect_data_files("infection_monkey.post_breach", include_py_files=False) From 536b061cc7592380490b9070f58097f52591324e Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 23 Aug 2021 11:10:57 -0400 Subject: [PATCH 2/4] Agent: Remove unused TEMP_FILE constant from windows timestomping PBA --- .../post_breach/timestomping/windows/timestomping.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py b/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py index dbea6aaea..2479317cc 100644 --- a/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py +++ b/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py @@ -1,6 +1,3 @@ -TEMP_FILE = "monkey-timestomping-file.txt" - - def get_windows_timestomping_commands(): return "powershell.exe infection_monkey/post_breach/timestomping/windows/timestomping.ps1" From 7f71901a29e1943e50f4d63e6ec9d482c87e759a Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 23 Aug 2021 11:12:51 -0400 Subject: [PATCH 3/4] Agent: Use path relative to __file__ to locate powershell scripts --- .../windows/shell_startup_files_modification.py | 6 ++++-- .../post_breach/timestomping/windows/timestomping.py | 7 ++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py b/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py index 62fd9425e..9d90f3812 100644 --- a/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py +++ b/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py @@ -1,7 +1,10 @@ import subprocess +from pathlib import Path from infection_monkey.utils.environment import is_windows_os +MODIFY_POWERSHELL_STARTUP_SCRIPT = Path(__file__).parent / "modify_powershell_startup_file.ps1" + def get_windows_commands_to_modify_shell_startup_files(): if not is_windows_os(): @@ -28,7 +31,6 @@ def get_windows_commands_to_modify_shell_startup_files(): return [ "powershell.exe", - "infection_monkey/post_breach/shell_startup_files/windows" - "/modify_powershell_startup_file.ps1", + str(MODIFY_POWERSHELL_STARTUP_SCRIPT), "-startup_file_path {0}", ], STARTUP_FILES_PER_USER diff --git a/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py b/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py index 2479317cc..1316caa5a 100644 --- a/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py +++ b/monkey/infection_monkey/post_breach/timestomping/windows/timestomping.py @@ -1,5 +1,10 @@ +from pathlib import Path + +TIMESTOMPING_SCRIPT = Path(__file__).parent / "timestomping.ps1" + + def get_windows_timestomping_commands(): - return "powershell.exe infection_monkey/post_breach/timestomping/windows/timestomping.ps1" + return f"powershell.exe {TIMESTOMPING_SCRIPT}" # Commands' source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006 From 342b5689f18f0797917c9daa987068b9d1cc943e Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 23 Aug 2021 11:44:29 -0400 Subject: [PATCH 4/4] Update changelog with fixes for #1405 and #1419 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 66bf63f90..1dc95da43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,8 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - Typo "trough" -> "through" in telemetry and docstring. - Crash when unexpected character encoding is used by ping command on German language systems. #1175 +- Malfunctioning timestomping PBA. #1405 +- Malfunctioning shell startup script PBA. #1419 ## [1.11.0] - 2021-08-13 ### Added