p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Mimikatz, Azure collectors moved to system info collectors in config, "Behaviour" renamed to "Post breach" in config

This commit is contained in:
VakarisZ 2020-07-22 18:06:49 +03:00
parent 8b2797306b
commit 2c96ace908
11 changed files with 94 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
monkey/common/data/system_info_collectors_names.py
View File

@ -2,3 +2,5 @@ AWS_COLLECTOR = "AwsCollector"
HOSTNAME_COLLECTOR = "HostnameCollector" HOSTNAME_COLLECTOR = "HostnameCollector"
ENVIRONMENT_COLLECTOR = "EnvironmentCollector" ENVIRONMENT_COLLECTOR = "EnvironmentCollector"
PROCESS_LIST_COLLECTOR = "ProcessListCollector" PROCESS_LIST_COLLECTOR = "ProcessListCollector"
MIMIKATZ_COLLECTOR = "MimikatzCollector"
AZURE_CRED_COLLECTOR = "AzureCollector"

10
monkey/infection_monkey/config.py
View File

@ -267,16 +267,6 @@ class Configuration(object):
# Shares to not check if they're writable. # Shares to not check if they're writable.
sambacry_shares_not_to_check = ["IPC$", "print$"] sambacry_shares_not_to_check = ["IPC$", "print$"]
# system info collection
collect_system_info = True
should_use_mimikatz = True
###########################
# systeminfo config
###########################
extract_azure_creds = True
########################### ###########################
# post breach actions # post breach actions
########################### ###########################

7
monkey/infection_monkey/monkey.py
View File

@ -190,7 +190,8 @@ class InfectionMonkey(object):
if self._default_server: if self._default_server:
if self._network.on_island(self._default_server): if self._network.on_island(self._default_server):
machine.set_default_server(get_interface_to_target(machine.ip_addr) + machine.set_default_server(get_interface_to_target(machine.ip_addr) +
(':' + self._default_server_port if self._default_server_port else '')) (
':' + self._default_server_port if self._default_server_port else ''))
else: else:
machine.set_default_server(self._default_server) machine.set_default_server(self._default_server)
LOG.debug("Default server for machine: %r set to %s" % (machine, machine.default_server)) LOG.debug("Default server for machine: %r set to %s" % (machine, machine.default_server))
@ -241,7 +242,6 @@ class InfectionMonkey(object):
LOG.debug("Running with depth: %d" % WormConfiguration.depth) LOG.debug("Running with depth: %d" % WormConfiguration.depth)
def collect_system_info_if_configured(self): def collect_system_info_if_configured(self):
if WormConfiguration.collect_system_info:
LOG.debug("Calling system info collection") LOG.debug("Calling system info collection")
system_info_collector = SystemInfoCollector() system_info_collector = SystemInfoCollector()
system_info = system_info_collector.get_info() system_info = system_info_collector.get_info()
@ -386,7 +386,8 @@ class InfectionMonkey(object):
:raises PlannedShutdownException if couldn't find the server. :raises PlannedShutdownException if couldn't find the server.
""" """
if not ControlClient.find_server(default_tunnel=self._default_tunnel): if not ControlClient.find_server(default_tunnel=self._default_tunnel):
raise PlannedShutdownException("Monkey couldn't find server with {} default tunnel.".format(self._default_tunnel)) raise PlannedShutdownException(
"Monkey couldn't find server with {} default tunnel.".format(self._default_tunnel))
self._default_server = WormConfiguration.current_server self._default_server = WormConfiguration.current_server
LOG.debug("default server set to: %s" % self._default_server) LOG.debug("default server set to: %s" % self._default_server)

3
monkey/infection_monkey/system_info/__init__.py
View File

@ -4,6 +4,7 @@ from enum import IntEnum
import psutil import psutil
from common.data.system_info_collectors_names import AZURE_CRED_COLLECTOR
from infection_monkey.network.info import get_host_subnets from infection_monkey.network.info import get_host_subnets
from infection_monkey.system_info.azure_cred_collector import AzureCollector from infection_monkey.system_info.azure_cred_collector import AzureCollector
from infection_monkey.system_info.netstat_collector import NetstatCollector from infection_monkey.system_info.netstat_collector import NetstatCollector
@ -91,7 +92,7 @@ class InfoCollector(object):
# noinspection PyBroadException # noinspection PyBroadException
try: try:
from infection_monkey.config import WormConfiguration from infection_monkey.config import WormConfiguration
if not WormConfiguration.extract_azure_creds: if AZURE_CRED_COLLECTOR not in WormConfiguration.system_info_collector_classes:
return return
LOG.debug("Harvesting creds if on an Azure machine") LOG.debug("Harvesting creds if on an Azure machine")
azure_collector = AzureCollector() azure_collector = AzureCollector()

3
monkey/infection_monkey/system_info/windows_info_collector.py
View File

@ -2,6 +2,7 @@ import logging
import os import os
import sys import sys
from common.data.system_info_collectors_names import MIMIKATZ_COLLECTOR
from infection_monkey.system_info.windows_cred_collector.mimikatz_cred_collector import \ from infection_monkey.system_info.windows_cred_collector.mimikatz_cred_collector import \
MimikatzCredentialCollector MimikatzCredentialCollector
@ -44,7 +45,7 @@ class WindowsInfoCollector(InfoCollector):
# TODO: Think about returning self.get_wmi_info() # TODO: Think about returning self.get_wmi_info()
self.get_installed_packages() self.get_installed_packages()
from infection_monkey.config import WormConfiguration from infection_monkey.config import WormConfiguration
if WormConfiguration.should_use_mimikatz: if MIMIKATZ_COLLECTOR in WormConfiguration.system_info_collector_classes:
self.get_mimikatz_info() self.get_mimikatz_info()
return self.info return self.info

30
monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py
View File

@ -1,7 +1,9 @@
from common.data.system_info_collectors_names import (AWS_COLLECTOR, from common.data.system_info_collectors_names import (AWS_COLLECTOR,
ENVIRONMENT_COLLECTOR, ENVIRONMENT_COLLECTOR,
HOSTNAME_COLLECTOR, HOSTNAME_COLLECTOR,
PROCESS_LIST_COLLECTOR) PROCESS_LIST_COLLECTOR,
MIMIKATZ_COLLECTOR,
AZURE_CRED_COLLECTOR)
SYSTEM_INFO_COLLECTOR_CLASSES = { SYSTEM_INFO_COLLECTOR_CLASSES = {
"title": "System Information Collectors", "title": "System Information Collectors",
@ -15,7 +17,16 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
], ],
"title": "Environment collector", "title": "Environment collector",
"info": "Collects information about machine's environment (on premise/GCP/AWS).", "info": "Collects information about machine's environment (on premise/GCP/AWS).",
"attack_techniques": [] "attack_techniques": ["T1082"]
},
{
"type": "string",
"enum": [
MIMIKATZ_COLLECTOR
],
"title": "Mimikatz collector",
"info": "Collects credentials from Windows credential manager.",
"attack_techniques": ["T1003", "T1005"]
}, },
{ {
"type": "string", "type": "string",
@ -24,7 +35,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
], ],
"title": "AWS collector", "title": "AWS collector",
"info": "If on AWS, collects more information about the AWS instance currently running on.", "info": "If on AWS, collects more information about the AWS instance currently running on.",
"attack_techniques": [] "attack_techniques": ["T1082"]
}, },
{ {
"type": "string", "type": "string",
@ -33,7 +44,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
], ],
"title": "Hostname collector", "title": "Hostname collector",
"info": "Collects machine's hostname.", "info": "Collects machine's hostname.",
"attack_techniques": [] "attack_techniques": ["T1082", "T1016"]
}, },
{ {
"type": "string", "type": "string",
@ -42,7 +53,16 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
], ],
"title": "Process list collector", "title": "Process list collector",
"info": "Collects a list of running processes on the machine.", "info": "Collects a list of running processes on the machine.",
"attack_techniques": [] "attack_techniques": ["T1082"]
}, },
{
"type": "string",
"enum": [
AZURE_CRED_COLLECTOR
],
"title": "Azure credential collector",
"info": "Collects password credentials from Azure VMs",
"attack_techniques": ["T1003", "T1005"]
}
] ]
} }

24
monkey/monkey_island/cc/services/config_schema/internal.py
View File

@ -34,6 +34,30 @@ INTERNAL = {
}, },
} }
}, },
"monkey": {
"title": "Monkey",
"type": "object",
"properties": {
"self_delete_in_cleanup": {
"title": "Self delete on cleanup",
"type": "boolean",
"default": True,
"description": "Should the monkey delete its executable when going down"
},
"use_file_logging": {
"title": "Use file logging",
"type": "boolean",
"default": True,
"description": "Should the monkey dump to a log file"
},
"serialize_config": {
"title": "Serialize config",
"type": "boolean",
"default": False,
"description": "Should the monkey dump its config on startup"
}
}
},
"classes": { "classes": {
"title": "Classes", "title": "Classes",
"type": "object", "type": "object",

80
monkey/monkey_island/cc/services/config_schema/monkey.py
View File

@ -2,7 +2,7 @@ from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN
from common.data.system_info_collectors_names import (AWS_COLLECTOR, from common.data.system_info_collectors_names import (AWS_COLLECTOR,
ENVIRONMENT_COLLECTOR, ENVIRONMENT_COLLECTOR,
HOSTNAME_COLLECTOR, HOSTNAME_COLLECTOR,
PROCESS_LIST_COLLECTOR) PROCESS_LIST_COLLECTOR, MIMIKATZ_COLLECTOR, AZURE_CRED_COLLECTOR)
MONKEY = { MONKEY = {
"title": "Monkey", "title": "Monkey",
@ -18,27 +18,10 @@ MONKEY = {
"default": True, "default": True,
"description": "Is the monkey alive" "description": "Is the monkey alive"
}, },
"post_breach_actions": {
"title": "Post breach actions",
"type": "array",
"uniqueItems": True,
"items": {
"$ref": "#/definitions/post_breach_actions"
},
"default": [
"BackdoorUser",
"CommunicateAsNewUser",
"ModifyShellStartupFiles",
"HiddenFiles",
"TrapCommand",
"ChangeSetuidSetgid",
"ScheduleJobs"
]
},
} }
}, },
"behaviour": { "post_breach": {
"title": "Behaviour", "title": "Post breach",
"type": "object", "type": "object",
"properties": { "properties": {
"custom_PBA_linux_cmd": { "custom_PBA_linux_cmd": {
@ -81,52 +64,29 @@ MONKEY = {
"type": "string", "type": "string",
"default": "" "default": ""
}, },
"self_delete_in_cleanup": { "post_breach_actions": {
"title": "Self delete on cleanup", "title": "Post breach actions",
"type": "boolean", "type": "array",
"default": True, "uniqueItems": True,
"description": "Should the monkey delete its executable when going down" "items": {
"$ref": "#/definitions/post_breach_actions"
}, },
"use_file_logging": { "default": [
"title": "Use file logging", "BackdoorUser",
"type": "boolean", "CommunicateAsNewUser",
"default": True, "ModifyShellStartupFiles",
"description": "Should the monkey dump to a log file" "HiddenFiles",
"TrapCommand",
"ChangeSetuidSetgid",
"ScheduleJobs"
]
}, },
"serialize_config": {
"title": "Serialize config",
"type": "boolean",
"default": False,
"description": "Should the monkey dump its config on startup"
}
} }
}, },
"system_info": { "system_info": {
"title": "System info", "title": "System info",
"type": "object", "type": "object",
"properties": { "properties": {
"extract_azure_creds": {
"title": "Harvest Azure Credentials",
"type": "boolean",
"default": True,
"attack_techniques": ["T1003"],
"description":
"Determine if the Monkey should try to harvest password credentials from Azure VMs"
},
"collect_system_info": {
"title": "Collect system info",
"type": "boolean",
"default": True,
"attack_techniques": ["T1082", "T1005", "T1016"],
"description": "Determines whether to collect system info"
},
"should_use_mimikatz": {
"title": "Should use Mimikatz",
"type": "boolean",
"default": True,
"attack_techniques": ["T1003"],
"description": "Determines whether to use Mimikatz"
},
"system_info_collector_classes": { "system_info_collector_classes": {
"title": "System info collectors", "title": "System info collectors",
"type": "array", "type": "array",
@ -138,7 +98,9 @@ MONKEY = {
ENVIRONMENT_COLLECTOR, ENVIRONMENT_COLLECTOR,
AWS_COLLECTOR, AWS_COLLECTOR,
HOSTNAME_COLLECTOR, HOSTNAME_COLLECTOR,
PROCESS_LIST_COLLECTOR PROCESS_LIST_COLLECTOR,
MIMIKATZ_COLLECTOR,
AZURE_CRED_COLLECTOR
] ]
}, },
} }

8
monkey/monkey_island/cc/services/post_breach_files.py
View File

@ -9,8 +9,8 @@ __author__ = "VakarisZ"
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
# Where to find file names in config # Where to find file names in config
PBA_WINDOWS_FILENAME_PATH = ['monkey', 'behaviour', 'PBA_windows_filename'] PBA_WINDOWS_FILENAME_PATH = ['monkey', 'post_breach', 'PBA_windows_filename']
PBA_LINUX_FILENAME_PATH = ['monkey', 'behaviour', 'PBA_linux_filename'] PBA_LINUX_FILENAME_PATH = ['monkey', 'post_breach', 'PBA_linux_filename']
UPLOADS_DIR = Path('monkey_island', 'cc', 'userUploads') UPLOADS_DIR = Path('monkey_island', 'cc', 'userUploads')
@ -41,5 +41,5 @@ def set_config_PBA_files(config_json):
if monkey_island.cc.services.config.ConfigService.get_config(): if monkey_island.cc.services.config.ConfigService.get_config():
linux_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_LINUX_FILENAME_PATH) linux_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_LINUX_FILENAME_PATH)
windows_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_WINDOWS_FILENAME_PATH) windows_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_WINDOWS_FILENAME_PATH)
config_json['monkey']['behaviour']['PBA_linux_filename'] = linux_filename config_json['monkey']['post_breach']['PBA_linux_filename'] = linux_filename
config_json['monkey']['behaviour']['PBA_windows_filename'] = windows_filename config_json['monkey']['post_breach']['PBA_windows_filename'] = windows_filename

2
monkey/monkey_island/cc/ui/src/components/configuration-components/UiSchema.js
View File

@ -24,7 +24,7 @@ export default function UiSchema(props) {
'ui:widget': AdvancedMultiSelect 'ui:widget': AdvancedMultiSelect
} }
}, },
behaviour: { post_breach: {
custom_PBA_linux_cmd: { custom_PBA_linux_cmd: {
'ui:widget': 'textarea', 'ui:widget': 'textarea',
'ui:emptyValue': '' 'ui:emptyValue': ''

8
monkey/monkey_island/cc/ui/src/components/pages/ConfigurePage.js
View File

@ -334,8 +334,8 @@ class ConfigurePageComponent extends AuthComponent {
{this.renderBasicNetworkWarning()} {this.renderBasicNetworkWarning()}
<Form schema={displayedSchema} <Form schema={displayedSchema}
uiSchema={UiSchema({ uiSchema={UiSchema({
PBA_linux_filename: this.state.configuration.monkey.behaviour.PBA_linux_filename, PBA_linux_filename: this.state.configuration.monkey.post_breach.PBA_linux_filename,
PBA_windows_filename: this.state.configuration.monkey.behaviour.PBA_windows_filename, PBA_windows_filename: this.state.configuration.monkey.post_breach.PBA_windows_filename,
setPbaFilenameWindows: this.setPbaFilenameWindows, setPbaFilenameWindows: this.setPbaFilenameWindows,
setPbaFilenameLinux: this.setPbaFilenameLinux, setPbaFilenameLinux: this.setPbaFilenameLinux,
selectedSection: this.state.selectedSection selectedSection: this.state.selectedSection
@ -351,7 +351,7 @@ class ConfigurePageComponent extends AuthComponent {
setPbaFilenameWindows = (filename) => { setPbaFilenameWindows = (filename) => {
let config = this.state.configuration let config = this.state.configuration
config.monkey.behaviour.PBA_windows_filename = filename config.monkey.post_breach.PBA_windows_filename = filename
this.setState({ this.setState({
configuration: config configuration: config
}) })
@ -359,7 +359,7 @@ class ConfigurePageComponent extends AuthComponent {
setPbaFilenameLinux = (filename) => { setPbaFilenameLinux = (filename) => {
let config = this.state.configuration let config = this.state.configuration
config.monkey.behaviour.PBA_linux_filename = filename config.monkey.post_breach.PBA_linux_filename = filename
this.setState({ this.setState({
configuration: config configuration: config
}) })