forked from p15670423/monkey
Merge pull request #793 from shreyamalviya/T1087
Add T1087 attack technique (account discovery)
This commit is contained in:
commit
f8e1e7604f
|
@ -6,4 +6,5 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories"
|
||||||
POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
|
POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
|
||||||
POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
|
POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
|
||||||
POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
|
POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
|
||||||
|
POST_BREACH_ACCOUNT_DISCOVERY = "Account discovery"
|
||||||
POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history"
|
POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history"
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
from infection_monkey.post_breach.account_discovery.linux_account_discovery import \
|
||||||
|
get_linux_commands_to_discover_accounts
|
||||||
|
from infection_monkey.post_breach.account_discovery.windows_account_discovery import \
|
||||||
|
get_windows_commands_to_discover_accounts
|
||||||
|
|
||||||
|
|
||||||
|
def get_commands_to_discover_accounts():
|
||||||
|
linux_cmds = get_linux_commands_to_discover_accounts()
|
||||||
|
windows_cmds = get_windows_commands_to_discover_accounts()
|
||||||
|
return linux_cmds, windows_cmds
|
|
@ -0,0 +1,7 @@
|
||||||
|
def get_linux_commands_to_discover_accounts():
|
||||||
|
return [
|
||||||
|
"echo \'Discovered the following user accounts:\'; ",
|
||||||
|
"cut -d: -f1,3 /etc/passwd | ",
|
||||||
|
"egrep ':[0-9]{4}$' | ",
|
||||||
|
"cut -d: -f1"
|
||||||
|
]
|
|
@ -0,0 +1,2 @@
|
||||||
|
def get_windows_commands_to_discover_accounts():
|
||||||
|
return "powershell Get-LocalUser"
|
|
@ -0,0 +1,12 @@
|
||||||
|
from common.data.post_breach_consts import POST_BREACH_ACCOUNT_DISCOVERY
|
||||||
|
from infection_monkey.post_breach.account_discovery.account_discovery import \
|
||||||
|
get_commands_to_discover_accounts
|
||||||
|
from infection_monkey.post_breach.pba import PBA
|
||||||
|
|
||||||
|
|
||||||
|
class AccountDiscovery(PBA):
|
||||||
|
def __init__(self):
|
||||||
|
linux_cmds, windows_cmds = get_commands_to_discover_accounts()
|
||||||
|
super().__init__(POST_BREACH_ACCOUNT_DISCOVERY,
|
||||||
|
linux_cmd=' '.join(linux_cmds),
|
||||||
|
windows_cmd=windows_cmds)
|
|
@ -10,16 +10,16 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005,
|
||||||
T1059, T1064,
|
T1059, T1064,
|
||||||
T1065, T1075,
|
T1065, T1075,
|
||||||
T1082, T1086,
|
T1082, T1086,
|
||||||
T1090, T1105,
|
T1087, T1090,
|
||||||
T1106, T1107,
|
T1105, T1106,
|
||||||
T1110, T1129,
|
T1107, T1110,
|
||||||
T1136, T1145,
|
T1129, T1136,
|
||||||
T1146, T1154,
|
T1145, T1146,
|
||||||
T1156, T1158,
|
T1154, T1156,
|
||||||
T1166, T1168,
|
T1158, T1166,
|
||||||
T1188, T1197,
|
T1168, T1188,
|
||||||
T1210, T1222,
|
T1197, T1210,
|
||||||
T1504)
|
T1222, T1504)
|
||||||
from monkey_island.cc.services.reporting.report_generation_synchronisation import \
|
from monkey_island.cc.services.reporting.report_generation_synchronisation import \
|
||||||
safe_generate_attack_report
|
safe_generate_attack_report
|
||||||
|
|
||||||
|
@ -59,6 +59,7 @@ TECHNIQUES = {'T1210': T1210.T1210,
|
||||||
'T1166': T1166.T1166,
|
'T1166': T1166.T1166,
|
||||||
'T1168': T1168.T1168,
|
'T1168': T1168.T1168,
|
||||||
'T1053': T1053.T1053,
|
'T1053': T1053.T1053,
|
||||||
|
'T1087': T1087.T1087,
|
||||||
'T1146': T1146.T1146
|
'T1146': T1146.T1146
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -243,6 +243,16 @@ SCHEMA = {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"link": "https://attack.mitre.org/tactics/TA0007/",
|
"link": "https://attack.mitre.org/tactics/TA0007/",
|
||||||
"properties": {
|
"properties": {
|
||||||
|
"T1087": {
|
||||||
|
"title": "Account Discovery",
|
||||||
|
"type": "bool",
|
||||||
|
"value": True,
|
||||||
|
"necessary": False,
|
||||||
|
"link": "https://attack.mitre.org/techniques/T1087",
|
||||||
|
"description": "Adversaries may attempt to get a listing of accounts on a system or "
|
||||||
|
"within an environment. This information can help adversaries determine which "
|
||||||
|
"accounts exist to aid in follow-on behavior."
|
||||||
|
},
|
||||||
"T1018": {
|
"T1018": {
|
||||||
"title": "Remote System Discovery",
|
"title": "Remote System Discovery",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
from common.data.post_breach_consts import POST_BREACH_ACCOUNT_DISCOVERY
|
||||||
|
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
|
||||||
|
PostBreachTechnique
|
||||||
|
|
||||||
|
__author__ = "shreyamalviya"
|
||||||
|
|
||||||
|
|
||||||
|
class T1087(PostBreachTechnique):
|
||||||
|
tech_id = "T1087"
|
||||||
|
unscanned_msg = "Monkey didn't try to get a listing of user accounts."
|
||||||
|
scanned_msg = "Monkey tried to get a listing of user accounts but failed to do so."
|
||||||
|
used_msg = "Monkey got a listing of user accounts successfully."
|
||||||
|
pba_names = [POST_BREACH_ACCOUNT_DISCOVERY]
|
|
@ -71,6 +71,15 @@ POST_BREACH_ACTIONS = {
|
||||||
"info": "Attempts to create a scheduled job on the system and remove it.",
|
"info": "Attempts to create a scheduled job on the system and remove it.",
|
||||||
"attack_techniques": ["T1168", "T1053"]
|
"attack_techniques": ["T1168", "T1053"]
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
"AccountDiscovery"
|
||||||
|
],
|
||||||
|
"title": "Account Discovery",
|
||||||
|
"info": "Attempts to get a listing of user accounts on the system.",
|
||||||
|
"attack_techniques": ["T1087"]
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"enum": [
|
"enum": [
|
||||||
|
|
|
@ -67,7 +67,8 @@ MONKEY = {
|
||||||
"HiddenFiles",
|
"HiddenFiles",
|
||||||
"TrapCommand",
|
"TrapCommand",
|
||||||
"ChangeSetuidSetgid",
|
"ChangeSetuidSetgid",
|
||||||
"ScheduleJobs"
|
"ScheduleJobs",
|
||||||
|
"AccountDiscovery"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
import React from 'react';
|
||||||
|
import ReactTable from 'react-table';
|
||||||
|
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
|
||||||
|
import MitigationsComponent from './MitigationsComponent';
|
||||||
|
|
||||||
|
class T1087 extends React.Component {
|
||||||
|
|
||||||
|
constructor(props) {
|
||||||
|
super(props);
|
||||||
|
}
|
||||||
|
|
||||||
|
static getColumns() {
|
||||||
|
return ([{
|
||||||
|
columns: [
|
||||||
|
{ Header: 'Machine',
|
||||||
|
id: 'machine',
|
||||||
|
accessor: x => renderMachineFromSystemData(x.machine),
|
||||||
|
style: {'whiteSpace': 'unset'}},
|
||||||
|
{ Header: 'Result',
|
||||||
|
id: 'result',
|
||||||
|
accessor: x => x.result,
|
||||||
|
style: {'whiteSpace': 'unset'}}
|
||||||
|
]
|
||||||
|
}])
|
||||||
|
}
|
||||||
|
|
||||||
|
render() {
|
||||||
|
return (
|
||||||
|
<div>
|
||||||
|
<div>{this.props.data.message}</div>
|
||||||
|
<br/>
|
||||||
|
{this.props.data.status === ScanStatus.USED ?
|
||||||
|
<ReactTable
|
||||||
|
columns={T1087.getColumns()}
|
||||||
|
data={this.props.data.info}
|
||||||
|
showPagination={false}
|
||||||
|
defaultPageSize={this.props.data.info.length}
|
||||||
|
/> : ''}
|
||||||
|
<MitigationsComponent mitigations={this.props.data.mitigations}/>
|
||||||
|
</div>
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
export default T1087;
|
Loading…
Reference in New Issue