From 3561573a6b07bd1b292fd5f248167f0f228a7db1 Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Wed, 20 Apr 2022 18:18:23 +0530 Subject: [PATCH] Agent: Check username of Mimikatz gathered creds before adding to the config since we don't want to add users created by the Monkey --- .../mimikatz_collector/mimikatz_credential_collector.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py index 1b772580d..7ce9b7581 100644 --- a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py +++ b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py @@ -1,6 +1,7 @@ import logging from typing import Sequence +from infection_monkey.consts import USERNAME_PREFIX from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector @@ -23,7 +24,11 @@ class MimikatzCredentialCollector(ICredentialCollector): for win_cred in win_creds: identities = [] secrets = [] - if win_cred.username: + + # Mimikatz picks up users created by the Monkey even if they're successfully deleted + # since it picks up creds from the registry. The newly created users are not removed + # from the registry until a reboot of the system, hence this check. + if win_cred.username and not win_cred.username.startswith(USERNAME_PREFIX): identity = Username(win_cred.username) identities.append(identity)