From 45c5546f1796d870c2a528a3c98439cab65d10c9 Mon Sep 17 00:00:00 2001 From: Shreya Date: Wed, 3 Jun 2020 02:36:17 +0530 Subject: [PATCH] Add "Hidden files" PBA feature TODO: winAPI --- monkey/common/data/post_breach_consts.py | 1 + .../post_breach/actions/hide_files.py | 31 +++++++++++++++ monkey/infection_monkey/utils/hidden_files.py | 32 ++++++++++++++++ .../utils/linux/hidden_files.py | 32 ++++++++++++++++ .../utils/windows/hidden_files.py | 38 +++++++++++++++++++ 5 files changed, 134 insertions(+) create mode 100644 monkey/infection_monkey/post_breach/actions/hide_files.py create mode 100644 monkey/infection_monkey/utils/hidden_files.py create mode 100644 monkey/infection_monkey/utils/linux/hidden_files.py create mode 100644 monkey/infection_monkey/utils/windows/hidden_files.py diff --git a/monkey/common/data/post_breach_consts.py b/monkey/common/data/post_breach_consts.py index 1e36f9e20..27167228e 100644 --- a/monkey/common/data/post_breach_consts.py +++ b/monkey/common/data/post_breach_consts.py @@ -2,3 +2,4 @@ POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user" POST_BREACH_BACKDOOR_USER = "Backdoor user" POST_BREACH_FILE_EXECUTION = "File execution" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file" +POST_BREACH_HIDDEN_FILES = "Hide files and directories" diff --git a/monkey/infection_monkey/post_breach/actions/hide_files.py b/monkey/infection_monkey/post_breach/actions/hide_files.py new file mode 100644 index 000000000..0a325b574 --- /dev/null +++ b/monkey/infection_monkey/post_breach/actions/hide_files.py @@ -0,0 +1,31 @@ +import time +from common.data.post_breach_consts import POST_BREACH_HIDDEN_FILES +from infection_monkey.post_breach.pba import PBA +from infection_monkey.telemetry.post_breach_telem import PostBreachTelem +from infection_monkey.utils.hidden_files import\ + [get_commands_to_hide_files, + get_commands_to_hide_folders] as CREATE_HIDDEN,\ + cleanup_hidden_files,\ + # get_winAPI_commands +from infection_monkey.utils.environment import is_windows_os + + +class HiddenFiles(PBA): + """ + This PBA attempts to create hidden files and folders. + """ + + def __init__(self): + pass + + def run(self): + for method_to_create in CREATE_HIDDEN: + linux_cmds, windows_cmds = method_to_create() + super(HiddenFiles, self).__init__(name=POST_BREACH_HIDDEN_FILES, + linux_cmd=' '.join(linux_cmds), + window_cmd=windows_cmds) + # if is_windows_os(): + # get_winAPI_commands() + # PostBreachTelem(???) + time.sleep(10) # detection time for AV software + cleanup_hidden_files(is_windows_os()) diff --git a/monkey/infection_monkey/utils/hidden_files.py b/monkey/infection_monkey/utils/hidden_files.py new file mode 100644 index 000000000..cad96d188 --- /dev/null +++ b/monkey/infection_monkey/utils/hidden_files.py @@ -0,0 +1,32 @@ +from infection_monkey.utils.linux.hidden_files import\ + get_linux_commands_to_hide_files,\ + get_linux_commands_to_hide_folders,\ + get_linux_commands_to_delete +from infection_monkey.utils.windows.hidden_files import\ + get_windows_commands_to_hide_files,\ + get_windows_commands_to_hide_folders,\ + # get_winAPI_commands_to_hide_files,\ + get_windows_commands_to_delete +from infection_monkey.utils.environment import is_windows_os + + +def get_commands_to_hide_files(): + linux_cmds = get_linux_commands_to_hide_files() + windows_cmds = get_windows_commands_to_hide_files() + return linux_cmds, windows_cmds + + +def get_commands_to_hide_folders(): + linux_cmds = get_linux_commands_to_hide_folders() + windows_cmds = get_windows_commands_to_hide_folders() + return linux_cmds, windows_cmds + + +# def get_winAPI_commands(): +# winAPI_command = get_winAPI_commands_to_hide_files() +# return winAPI_command + + +def cleanup_hidden_files(is_windows=is_windows_os()): + get_windows_commands_to_delete() if is_windows \ + else get_linux_commands_to_delete() diff --git a/monkey/infection_monkey/utils/linux/hidden_files.py b/monkey/infection_monkey/utils/linux/hidden_files.py new file mode 100644 index 000000000..41d555c84 --- /dev/null +++ b/monkey/infection_monkey/utils/linux/hidden_files.py @@ -0,0 +1,32 @@ +HIDDEN_FILE = '/var/tmp/.monkey-hidden-file' +HIDDEN_FOLDER = '/var/tmp/.monkey-hidden-folder' + + +def get_linux_commands_to_hide_files(): + return [ + 'touch', # create file + HIDDEN_FILE, + '; echo \"Successfully created hidden file\" >', # write to + HIDDEN_FILE + ] + + +def get_linux_commands_to_hide_folders(): + return [ + 'mkdir', # make directory + HIDDEN_FOLDER, + '; touch', # create file + '{}/{}'.format(HIDDEN_FOLDER, 'some-file'), # random file in hidden folder + '; echo \"Successfully created hidden folder\" >', # write to + '{}/{}'.format(HIDDEN_FOLDER, 'some-file') # random file in hidden folder + ] + + +def get_linux_commands_to_delete(): + return [ + 'rm', # remove + '-r', # delete recursively + '-f', # force delete + HIDDEN_FILE, + HIDDEN_FOLDER + ] diff --git a/monkey/infection_monkey/utils/windows/hidden_files.py b/monkey/infection_monkey/utils/windows/hidden_files.py new file mode 100644 index 000000000..bff198fef --- /dev/null +++ b/monkey/infection_monkey/utils/windows/hidden_files.py @@ -0,0 +1,38 @@ +HIDDEN_FILE = 'C:\\monkey-hidden-file' +HIDDEN_FOLDER = 'C:\\monkey-hidden-folder' + + +def get_windows_commands_to_hide_files(): + return [ + 'echo Successfully created hidden file >', # create text file + HIDDEN_FILE, + '&& attrib', # change file attributes + '+h', # make hidden + HIDDEN_FILE + ] + + +def get_windows_commands_to_hide_folders(): + return [ + 'mkdir', # make directory + HIDDEN_FOLDER, + '&& attrib', # change file attributes + '+h', # make hidden + HIDDEN_FOLDER, + '&& echo Successfully created hidden folder >' + '{}\{}'.format(HIDDEN_FOLDER, 'some-file') + ] + + +# def get_winAPI_commands_to_hide_files(): +# pass + + +def get_windows_commands_to_delete(): + return [ + 'del', # delete file + '/f', # force delete + HIDDEN_FILE, + '&& rmdir', # delete folder + HIDDEN_FOLDER + ]