Merge pull request #793 from shreyamalviya/T1087

Add T1087 attack technique (account discovery)
This commit is contained in:
Shreya Malviya 2020-08-27 10:47:28 +05:30 committed by GitHub
commit f8e1e7604f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 122 additions and 11 deletions

View File

@ -6,4 +6,5 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories"
POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received" POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
POST_BREACH_SETUID_SETGID = "Setuid and Setgid" POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
POST_BREACH_JOB_SCHEDULING = "Schedule jobs" POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
POST_BREACH_ACCOUNT_DISCOVERY = "Account discovery"
POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history" POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history"

View File

@ -0,0 +1,10 @@
from infection_monkey.post_breach.account_discovery.linux_account_discovery import \
get_linux_commands_to_discover_accounts
from infection_monkey.post_breach.account_discovery.windows_account_discovery import \
get_windows_commands_to_discover_accounts
def get_commands_to_discover_accounts():
linux_cmds = get_linux_commands_to_discover_accounts()
windows_cmds = get_windows_commands_to_discover_accounts()
return linux_cmds, windows_cmds

View File

@ -0,0 +1,7 @@
def get_linux_commands_to_discover_accounts():
return [
"echo \'Discovered the following user accounts:\'; ",
"cut -d: -f1,3 /etc/passwd | ",
"egrep ':[0-9]{4}$' | ",
"cut -d: -f1"
]

View File

@ -0,0 +1,2 @@
def get_windows_commands_to_discover_accounts():
return "powershell Get-LocalUser"

View File

@ -0,0 +1,12 @@
from common.data.post_breach_consts import POST_BREACH_ACCOUNT_DISCOVERY
from infection_monkey.post_breach.account_discovery.account_discovery import \
get_commands_to_discover_accounts
from infection_monkey.post_breach.pba import PBA
class AccountDiscovery(PBA):
def __init__(self):
linux_cmds, windows_cmds = get_commands_to_discover_accounts()
super().__init__(POST_BREACH_ACCOUNT_DISCOVERY,
linux_cmd=' '.join(linux_cmds),
windows_cmd=windows_cmds)

View File

@ -10,16 +10,16 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005,
T1059, T1064, T1059, T1064,
T1065, T1075, T1065, T1075,
T1082, T1086, T1082, T1086,
T1090, T1105, T1087, T1090,
T1106, T1107, T1105, T1106,
T1110, T1129, T1107, T1110,
T1136, T1145, T1129, T1136,
T1146, T1154, T1145, T1146,
T1156, T1158, T1154, T1156,
T1166, T1168, T1158, T1166,
T1188, T1197, T1168, T1188,
T1210, T1222, T1197, T1210,
T1504) T1222, T1504)
from monkey_island.cc.services.reporting.report_generation_synchronisation import \ from monkey_island.cc.services.reporting.report_generation_synchronisation import \
safe_generate_attack_report safe_generate_attack_report
@ -59,6 +59,7 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1166': T1166.T1166, 'T1166': T1166.T1166,
'T1168': T1168.T1168, 'T1168': T1168.T1168,
'T1053': T1053.T1053, 'T1053': T1053.T1053,
'T1087': T1087.T1087,
'T1146': T1146.T1146 'T1146': T1146.T1146
} }

View File

@ -243,6 +243,16 @@ SCHEMA = {
"type": "object", "type": "object",
"link": "https://attack.mitre.org/tactics/TA0007/", "link": "https://attack.mitre.org/tactics/TA0007/",
"properties": { "properties": {
"T1087": {
"title": "Account Discovery",
"type": "bool",
"value": True,
"necessary": False,
"link": "https://attack.mitre.org/techniques/T1087",
"description": "Adversaries may attempt to get a listing of accounts on a system or "
"within an environment. This information can help adversaries determine which "
"accounts exist to aid in follow-on behavior."
},
"T1018": { "T1018": {
"title": "Remote System Discovery", "title": "Remote System Discovery",
"type": "bool", "type": "bool",

View File

@ -0,0 +1,13 @@
from common.data.post_breach_consts import POST_BREACH_ACCOUNT_DISCOVERY
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
__author__ = "shreyamalviya"
class T1087(PostBreachTechnique):
tech_id = "T1087"
unscanned_msg = "Monkey didn't try to get a listing of user accounts."
scanned_msg = "Monkey tried to get a listing of user accounts but failed to do so."
used_msg = "Monkey got a listing of user accounts successfully."
pba_names = [POST_BREACH_ACCOUNT_DISCOVERY]

View File

@ -71,6 +71,15 @@ POST_BREACH_ACTIONS = {
"info": "Attempts to create a scheduled job on the system and remove it.", "info": "Attempts to create a scheduled job on the system and remove it.",
"attack_techniques": ["T1168", "T1053"] "attack_techniques": ["T1168", "T1053"]
}, },
{
"type": "string",
"enum": [
"AccountDiscovery"
],
"title": "Account Discovery",
"info": "Attempts to get a listing of user accounts on the system.",
"attack_techniques": ["T1087"]
},
{ {
"type": "string", "type": "string",
"enum": [ "enum": [

View File

@ -67,7 +67,8 @@ MONKEY = {
"HiddenFiles", "HiddenFiles",
"TrapCommand", "TrapCommand",
"ChangeSetuidSetgid", "ChangeSetuidSetgid",
"ScheduleJobs" "ScheduleJobs",
"AccountDiscovery"
] ]
}, },
} }

View File

@ -0,0 +1,45 @@
import React from 'react';
import ReactTable from 'react-table';
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
import MitigationsComponent from './MitigationsComponent';
class T1087 extends React.Component {
constructor(props) {
super(props);
}
static getColumns() {
return ([{
columns: [
{ Header: 'Machine',
id: 'machine',
accessor: x => renderMachineFromSystemData(x.machine),
style: {'whiteSpace': 'unset'}},
{ Header: 'Result',
id: 'result',
accessor: x => x.result,
style: {'whiteSpace': 'unset'}}
]
}])
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === ScanStatus.USED ?
<ReactTable
columns={T1087.getColumns()}
data={this.props.data.info}
showPagination={false}
defaultPageSize={this.props.data.info.length}
/> : ''}
<MitigationsComponent mitigations={this.props.data.mitigations}/>
</div>
);
}
}
export default T1087;