Merge pull request #687 from shreyamalviya/T1156

Add T1156 and T1504 attack techniques (shell startup file modifications)
2020-06-24 14:13:09 +05:30 · 2020-06-24 14:13:09 +05:30 · 08727305d8
parent 6ead5d43cf 53e6f893c6
commit 08727305d8
15 changed files with 329 additions and 10 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -65,7 +65,7 @@ script:
 - cd monkey_island/cc/ui
 - npm ci  # See https://docs.npmjs.com/cli/ci.html
 - eslint ./src --quiet  # Test for errors
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=490
+- JS_WARNINGS_AMOUNT_UPPER_LIMIT=90
 - eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT  # Test for max warnings

 after_success:
--- a/monkey/common/data/post_breach_consts.py
+++ b/monkey/common/data/post_breach_consts.py
@ -1,3 +1,4 @@
 POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user"
 POST_BREACH_BACKDOOR_USER = "Backdoor user"
 POST_BREACH_FILE_EXECUTION = "File execution"
+POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file"
--- a/monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py
+++ b/monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py
@ -0,0 +1,44 @@
+from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
+from infection_monkey.post_breach.pba import PBA
+from infection_monkey.post_breach.shell_startup_files.shell_startup_files_modification import\
+    get_commands_to_modify_shell_startup_files
+
+
+class ModifyShellStartupFiles(PBA):
+    """
+    This PBA attempts to modify shell startup files,
+    like ~/.profile, ~/.bashrc, ~/.bash_profile in linux,
+    and profile.ps1 in windows.
+    """
+
+    def run(self):
+        [pba.run() for pba in self.modify_shell_startup_PBA_list()]
+
+    def modify_shell_startup_PBA_list(self):
+        return ShellStartupPBAGenerator.get_modify_shell_startup_pbas()
+
+
+class ShellStartupPBAGenerator():
+    def get_modify_shell_startup_pbas():
+        (cmds_for_linux, shell_startup_files_for_linux, usernames_for_linux),\
+        (cmds_for_windows, shell_startup_files_per_user_for_windows) = get_commands_to_modify_shell_startup_files()
+
+        pbas = []
+
+        for startup_file_per_user in shell_startup_files_per_user_for_windows:
+            windows_cmds = ' '.join(cmds_for_windows).format(startup_file_per_user)
+            pbas.append(ModifyShellStartupFile(linux_cmds='', windows_cmds=['powershell.exe', windows_cmds]))
+
+        for username in usernames_for_linux:
+            for shell_startup_file in shell_startup_files_for_linux:
+                linux_cmds = ' '.join(cmds_for_linux).format(shell_startup_file).format(username)
+                pbas.append(ModifyShellStartupFile(linux_cmds=linux_cmds, windows_cmds=''))
+
+        return pbas
+
+
+class ModifyShellStartupFile(PBA):
+    def __init__(self, linux_cmds, windows_cmds):
+        super(ModifyShellStartupFile, self).__init__(name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
+                                                     linux_cmd=linux_cmds,
+                                                     windows_cmd=windows_cmds)
--- a/monkey/infection_monkey/post_breach/pba.py
+++ b/monkey/infection_monkey/post_breach/pba.py
@ -57,6 +57,7 @@ class PBA(Plugin):
        """
        Runs post breach action command
        """
+        if self.command:
            exec_funct = self._execute_default
            result = exec_funct()
            if self.scripts_were_used_successfully(result):
--- a/monkey/infection_monkey/post_breach/shell_startup_files/linux/shell_startup_files_modification.py
+++ b/monkey/infection_monkey/post_breach/shell_startup_files/linux/shell_startup_files_modification.py
@ -0,0 +1,39 @@
+import subprocess
+from infection_monkey.utils.environment import is_windows_os
+
+
+def get_linux_commands_to_modify_shell_startup_files():
+    if is_windows_os():
+        return '', [], []
+
+    HOME_DIR = "/home/"
+
+    # get list of usernames
+    USERS = subprocess.check_output(
+            "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1",
+            shell=True
+        ).decode().split('\n')[:-1]
+
+    # get list of paths of different shell startup files with place for username
+    STARTUP_FILES = [
+        file_path.format(HOME_DIR) for file_path in
+        [
+            "{0}{{0}}/.profile",                    # bash, dash, ksh, sh
+            "{0}{{0}}/.bashrc",                     # bash
+            "{0}{{0}}/.bash_profile",
+            "{0}{{0}}/.config/fish/config.fish",    # fish
+            "{0}{{0}}/.zshrc",                      # zsh
+            "{0}{{0}}/.zshenv",
+            "{0}{{0}}/.zprofile",
+            "{0}{{0}}/.kshrc",                      # ksh
+            "{0}{{0}}/.tcshrc",                     # tcsh
+            "{0}{{0}}/.cshrc",                      # csh
+        ]
+    ]
+
+    return [
+        '3<{0} 3<&- &&',  # check for existence of file
+        'echo \"# Succesfully modified {0}\" |',
+        'tee -a {0} &&',  # append to file
+        'sed -i \'$d\' {0}',  # remove last line of file (undo changes)
+    ], STARTUP_FILES, USERS
--- a/monkey/infection_monkey/post_breach/shell_startup_files/shell_startup_files_modification.py
+++ b/monkey/infection_monkey/post_breach/shell_startup_files/shell_startup_files_modification.py
@ -0,0 +1,10 @@
+from infection_monkey.post_breach.shell_startup_files.linux.shell_startup_files_modification import\
+    get_linux_commands_to_modify_shell_startup_files
+from infection_monkey.post_breach.shell_startup_files.windows.shell_startup_files_modification import\
+    get_windows_commands_to_modify_shell_startup_files
+
+
+def get_commands_to_modify_shell_startup_files():
+    linux_cmds = get_linux_commands_to_modify_shell_startup_files()
+    windows_cmds = get_windows_commands_to_modify_shell_startup_files()
+    return linux_cmds, windows_cmds
--- a/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py
+++ b/monkey/infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py
@ -0,0 +1,27 @@
+import subprocess
+from infection_monkey.utils.environment import is_windows_os
+
+
+def get_windows_commands_to_modify_shell_startup_files():
+    if not is_windows_os():
+        return '', []
+
+    # get powershell startup file path
+    SHELL_STARTUP_FILE = subprocess.check_output('powershell $Profile').decode().split("\r\n")[0]
+    SHELL_STARTUP_FILE_PATH_COMPONENTS = SHELL_STARTUP_FILE.split("\\")
+
+    # get list of usernames
+    USERS = subprocess.check_output('dir C:\\Users /b', shell=True).decode().split("\r\n")[:-1]
+
+    STARTUP_FILES_PER_USER = ['\\'.join(SHELL_STARTUP_FILE_PATH_COMPONENTS[:2] +
+                                        [user] +
+                                        SHELL_STARTUP_FILE_PATH_COMPONENTS[3:])
+                              for user in USERS]
+
+    return [
+        'Add-Content {0}',
+        '\"# Successfully modified {0}\" ;',  # add line to $profile
+        'cat {0} | Select -last 1 ;',  # print last line of $profile
+        '$OldProfile = cat {0} | Select -skiplast 1 ;',
+        'Set-Content {0} -Value $OldProfile ;'  # remove last line of $profile
+    ], STARTUP_FILES_PER_USER
--- a/monkey/monkey_island/cc/services/attack/attack_report.py
+++ b/monkey/monkey_island/cc/services/attack/attack_report.py
@ -4,7 +4,7 @@ from monkey_island.cc.models import Monkey
 from monkey_island.cc.services.attack.technique_reports import T1210, T1197, T1110, T1075, T1003, T1059, T1086, T1082
 from monkey_island.cc.services.attack.technique_reports import T1145, T1105, T1065, T1035, T1129, T1106, T1107, T1188
 from monkey_island.cc.services.attack.technique_reports import T1090, T1041, T1222, T1005, T1018, T1016, T1021, T1064
-from monkey_island.cc.services.attack.technique_reports import T1136
+from monkey_island.cc.services.attack.technique_reports import T1136, T1156, T1504
 from monkey_island.cc.services.attack.attack_config import AttackConfig
 from monkey_island.cc.database import mongo
 from monkey_island.cc.services.reporting.report_generation_synchronisation import safe_generate_attack_report
@ -37,7 +37,9 @@ TECHNIQUES = {'T1210': T1210.T1210,
              'T1016': T1016.T1016,
              'T1021': T1021.T1021,
              'T1064': T1064.T1064,
-              'T1136': T1136.T1136
+              'T1136': T1136.T1136,
+              'T1156': T1156.T1156,
+              'T1504': T1504.T1504
              }

 REPORT_NAME = 'new_report'
--- a/monkey/monkey_island/cc/services/attack/attack_schema.py
+++ b/monkey/monkey_island/cc/services/attack/attack_schema.py
@ -71,6 +71,16 @@ SCHEMA = {
            "type": "object",
            "link": "https://attack.mitre.org/tactics/TA0003/",
            "properties": {
+                "T1156": {
+                    "title": ".bash_profile and .bashrc",
+                    "type": "bool",
+                    "value": True,
+                    "necessary": False,
+                    "link": "https://attack.mitre.org/techniques/T1156",
+                    "description": "Adversaries may abuse shell scripts by "
+                                   "inserting arbitrary shell commands to gain persistence, which "
+                                   "would be executed every time the user logs in or opens a new shell."
+                },
                "T1136": {
                    "title": "Create account",
                    "type": "bool",
@ -79,6 +89,16 @@ SCHEMA = {
                    "link": "https://attack.mitre.org/techniques/T1136",
                    "description": "Adversaries with a sufficient level of access "
                                   "may create a local system, domain, or cloud tenant account."
+                },
+                "T1504": {
+                    "title": "PowerShell profile",
+                    "type": "bool",
+                    "value": True,
+                    "necessary": False,
+                    "link": "https://attack.mitre.org/techniques/T1504",
+                    "description": "Adversaries may gain persistence and elevate privileges "
+                                   "in certain situations by abusing PowerShell profiles which "
+                                   "are scripts that run when PowerShell starts."
                }
            }
        },
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1156.py
@ -0,0 +1,38 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from monkey_island.cc.database import mongo
+from common.utils.attack_utils import ScanStatus
+from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
+
+
+__author__ = "shreyamalviya"
+
+
+class T1156(AttackTechnique):
+    tech_id = "T1156"
+    unscanned_msg = "Monkey did not try modifying bash startup files on the system."
+    scanned_msg = "Monkey tried modifying bash startup files on the system but failed."
+    used_msg = "Monkey modified bash startup files on the system."
+
+    query = [{'$match': {'telem_category': 'post_breach',
+                         'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
+                         'data.command': {'$regex': 'bash'}}},
+             {'$project': {'_id': 0,
+                           'machine': {'hostname': '$data.hostname',
+                                       'ips': ['$data.ip']},
+                           'result': '$data.result'}}]
+
+    @staticmethod
+    def get_report_data():
+        data = {'title': T1156.technique_title(), 'info': []}
+
+        bash_modification_info = list(mongo.db.telemetry.aggregate(T1156.query))
+
+        status = []
+        for pba_node in bash_modification_info:
+            status.append(pba_node['result'][1])
+        status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
+            if status else ScanStatus.UNSCANNED.value
+
+        data.update(T1156.get_base_data_by_status(status))
+        data.update({'info': bash_modification_info})
+        return data
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1504.py
@ -0,0 +1,38 @@
+from monkey_island.cc.services.attack.technique_reports import AttackTechnique
+from monkey_island.cc.database import mongo
+from common.utils.attack_utils import ScanStatus
+from common.data.post_breach_consts import POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION
+
+
+__author__ = "shreyamalviya"
+
+
+class T1504(AttackTechnique):
+    tech_id = "T1504"
+    unscanned_msg = "Monkey did not try modifying powershell startup files on the system."
+    scanned_msg = "Monkey tried modifying powershell startup files on the system but failed."
+    used_msg = "Monkey modified powershell startup files on the system."
+
+    query = [{'$match': {'telem_category': 'post_breach',
+                         'data.name': POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION,
+                         'data.command': {'$regex': 'powershell'}}},
+             {'$project': {'_id': 0,
+                           'machine': {'hostname': '$data.hostname',
+                                       'ips': ['$data.ip']},
+                           'result': '$data.result'}}]
+
+    @staticmethod
+    def get_report_data():
+        data = {'title': T1504.technique_title(), 'info': []}
+
+        powershell_profile_modification_info = list(mongo.db.telemetry.aggregate(T1504.query))
+
+        status = []
+        for pba_node in powershell_profile_modification_info:
+            status.append(pba_node['result'][1])
+        status = (ScanStatus.USED.value if any(status) else ScanStatus.SCANNED.value)\
+            if status else ScanStatus.UNSCANNED.value
+
+        data.update(T1504.get_base_data_by_status(status))
+        data.update({'info': powershell_profile_modification_info})
+        return data
--- a/monkey/monkey_island/cc/services/config_schema.py
+++ b/monkey/monkey_island/cc/services/config_schema.py
@ -160,6 +160,14 @@ SCHEMA = {
                    "title": "Communicate as new user",
                    "attack_techniques": ["T1136"]
                },
+                {
+                    "type": "string",
+                    "enum": [
+                        "ModifyShellStartupFiles"
+                    ],
+                    "title": "Modify shell startup files",
+                    "attack_techniques": ["T1156", "T1504"]
+                }
            ],
        },
        "finger_classes": {
@ -379,7 +387,8 @@ SCHEMA = {
                            },
                            "default": [
                                "BackdoorUser",
-                                "CommunicateAsNewUser"
+                                "CommunicateAsNewUser",
+                                "ModifyShellStartupFiles"
                            ],
                            "description": "List of actions the Monkey will run post breach"
                        },
--- a/monkey/monkey_island/cc/ui/.eslintrc
+++ b/monkey/monkey_island/cc/ui/.eslintrc
@ -53,7 +53,7 @@
    "react/jsx-uses-react": 1,
    "react/jsx-uses-vars": 1,
    "react/jsx-key": 1,
-    "react/prop-types": 1,
+    "react/prop-types": 0,
    "react/no-unescaped-entities": 1,
    "react/no-unknown-property": [1, { "ignore": ["class"] }],
    "react/no-string-refs": 1,
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1156.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1156.js
@ -0,0 +1,45 @@
+import React from 'react';
+import ReactTable from 'react-table';
+import {renderMachineFromSystemData, ScanStatus} from './Helpers';
+import MitigationsComponent from './MitigationsComponent';
+
+class T1156 extends React.Component {
+
+  constructor(props) {
+    super(props);
+  }
+
+  static getColumns() {
+      return ([{
+        columns: [
+            { Header: 'Machine',
+              id: 'machine',
+              accessor: x => renderMachineFromSystemData(x.machine),
+              style: {'whiteSpace': 'unset'}},
+            { Header: 'Result',
+              id: 'result',
+              accessor: x => x.result,
+              style: {'whiteSpace': 'unset'}}
+          ]
+      }])
+  }
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        {this.props.data.status === ScanStatus.USED ?
+          <ReactTable
+            columns={T1156.getColumns()}
+            data={this.props.data.info}
+            showPagination={false}
+            defaultPageSize={this.props.data.info.length}
+            /> : ''}
+            <MitigationsComponent mitigations={this.props.data.mitigations}/>
+        </div>
+      );
+    }
+  }
+
+  export default T1156;
--- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1504.js
+++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1504.js
@ -0,0 +1,45 @@
+import React from 'react';
+import ReactTable from 'react-table';
+import {renderMachineFromSystemData, ScanStatus} from './Helpers';
+import MitigationsComponent from './MitigationsComponent';
+
+class T1504 extends React.Component {
+
+  constructor(props) {
+    super(props);
+  }
+
+  static getColumns() {
+      return ([{
+        columns: [
+            { Header: 'Machine',
+              id: 'machine',
+              accessor: x => renderMachineFromSystemData(x.machine),
+              style: {'whiteSpace': 'unset'}},
+            { Header: 'Result',
+              id: 'result',
+              accessor: x => x.result,
+              style: {'whiteSpace': 'unset'}}
+          ]
+      }])
+  }
+
+  render() {
+    return (
+      <div>
+        <div>{this.props.data.message}</div>
+        <br/>
+        {this.props.data.status === ScanStatus.USED ?
+          <ReactTable
+            columns={T1504.getColumns()}
+            data={this.props.data.info}
+            showPagination={false}
+            defaultPageSize={this.props.data.info.length}
+            /> : ''}
+            <MitigationsComponent mitigations={this.props.data.mitigations}/>
+        </div>
+      );
+    }
+  }
+
+  export default T1504;