p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #757 from shreyamalviya/windows-shell-startup-pba-fix 

Windows' "modify shell startup files" PBA fix
This commit is contained in:
VakarisZ 2020-08-04 16:47:31 +03:00 committed by GitHub
parent 826920c4c9 fe6cd2b076
commit d3790ee5d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py
View File

@ -35,7 +35,7 @@ class ModifyShellStartupFiles(PBA):
for startup_file_per_user in shell_startup_files_per_user_for_windows: for startup_file_per_user in shell_startup_files_per_user_for_windows:
windows_cmds = ' '.join(cmds_for_windows).format(startup_file_per_user) windows_cmds = ' '.join(cmds_for_windows).format(startup_file_per_user)
pbas.append(self.ModifyShellStartupFile(linux_cmds='', windows_cmds=['powershell.exe', windows_cmds])) pbas.append(self.ModifyShellStartupFile(linux_cmds='', windows_cmds=windows_cmds))
for username in usernames_for_linux: for username in usernames_for_linux:
for shell_startup_file in shell_startup_files_for_linux: for shell_startup_file in shell_startup_files_for_linux:

26
monkey/infection_monkey/post_breach/shell_startup_files/windows/modify_powershell_startup_file.ps1 Normal file
View File

@ -0,0 +1,26 @@
param (
[string]$startup_file_path = $profile
)
# check if paths exist already
$startup_file_prev_exists = Test-Path $startup_file_path
$startup_file_folder_path = ($startup_file_path -split '\\')[0..(($startup_file_path -split '\\').count -2)] -join '\'
$startup_file_folder_prev_exists = Test-Path $startup_file_folder_path
# carry out pba
If (!($startup_file_prev_exists)) { # create profile.ps1 file if it doesn't exist already
[Void](New-Item -Path $startup_file_path -ItemType "file" -Force)
}
Add-Content $startup_file_path "# Successfully modified $startup_file_path" ; # add line to $Profile
cat $startup_file_path | Select -last 1 ; # print last line of $Profile
$OldProfile = cat $startup_file_path | Select -skiplast 1 ; # get file's original content
Set-Content $startup_file_path -Value $OldProfile ; # restore file's original content
# cleanup
If (!($startup_file_prev_exists)) { # remove file if it didn't exist previously
Remove-Item -Path $startup_file_path -Force ;
}
If (!($startup_file_folder_prev_exists)) { # remove folder if it didn't exist previously
Remove-Item -Path $startup_file_folder_path -Force -Recurse ;
}

9
monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py
View File

@ -13,6 +13,7 @@ def get_windows_commands_to_modify_shell_startup_files():
# get list of usernames # get list of usernames
USERS = subprocess.check_output('dir C:\\Users /b', shell=True).decode().split("\r\n")[:-1] # noqa: DUO116 USERS = subprocess.check_output('dir C:\\Users /b', shell=True).decode().split("\r\n")[:-1] # noqa: DUO116
USERS.remove("Public")
STARTUP_FILES_PER_USER = ['\\'.join(SHELL_STARTUP_FILE_PATH_COMPONENTS[:2] + STARTUP_FILES_PER_USER = ['\\'.join(SHELL_STARTUP_FILE_PATH_COMPONENTS[:2] +
[user] + [user] +
@ -20,9 +21,7 @@ def get_windows_commands_to_modify_shell_startup_files():
for user in USERS] for user in USERS]
return [ return [
'Add-Content {0}', 'powershell.exe',
'\"# Successfully modified {0}\" ;', # add line to $profile 'infection_monkey/post_breach/shell_startup_files/windows/modify_powershell_startup_file.ps1',
'cat {0} | Select -last 1 ;', # print last line of $profile '-startup_file_path {0}'
'$OldProfile = cat {0} | Select -skiplast 1 ;',
'Set-Content {0} -Value $OldProfile ;' # remove last line of $profile
], STARTUP_FILES_PER_USER ], STARTUP_FILES_PER_USER