UI: Add custom PBAs and PBAs to the json schema

Remove data-url from the custom-pbas
Fix small things the the credential collectors
This commit is contained in:
Ilija Lazoroski 2022-07-01 14:36:58 +02:00
parent 67aa7d95a3
commit 5a367181f9
4 changed files with 131 additions and 43 deletions

View File

@ -3,6 +3,7 @@ import {pluginConfigurationSchema} from './definitions/plugins.js';
import {propagationConfigurationSchema} from './definitions/propagation.js'; import {propagationConfigurationSchema} from './definitions/propagation.js';
import {bruteForceExploiters, vulnerabilityExploiters} from './definitions/exploiter_classes.js'; import {bruteForceExploiters, vulnerabilityExploiters} from './definitions/exploiter_classes.js';
import {credentialCollectors} from './definitions/credential_collectors.js'; import {credentialCollectors} from './definitions/credential_collectors.js';
import {postBreachActions} from './definitions/post_breach_actions.js';
export const SCHEMA = { export const SCHEMA = {
'title': 'Monkey', 'title': 'Monkey',
@ -10,26 +11,20 @@ export const SCHEMA = {
'definitions': { 'definitions': {
'brute_force_classes': bruteForceExploiters, 'brute_force_classes': bruteForceExploiters,
'vulnerability_classes': vulnerabilityExploiters, 'vulnerability_classes': vulnerabilityExploiters,
'credential_collectors_classes': credentialCollectors 'credential_collectors_classes': credentialCollectors,
'post_breach_actions': postBreachActions
}, },
'properties': { 'properties': {
'propagation': propagationConfigurationSchema, 'propagation': propagationConfigurationSchema,
'post_breach_actions': { 'post_breach_actions': {
'title': 'Post-breach actions', 'title': 'Post-breach actions',
'type': 'object', 'type': 'array',
'properties': { 'uniqueItems': true,
'pba_list': { 'items': {
'title': 'PBAs', '$ref': '#/definitions/post_breach_actions'
'type': 'array',
'items': pluginConfigurationSchema,
'default': [
{'name': 'CommunicateAsBackdoorUser','safe': true, 'options': {}},
{'name': 'ModifyShellStartupFiles', 'safe': true, 'options': {}}
]
},
'custom_pbas': customPBAConfigurationSchema
} }
}, },
'custom_pbas': customPBAConfigurationSchema,
'payloads': { 'payloads': {
'title': 'Payloads', 'title': 'Payloads',
'type': 'array', 'type': 'array',
@ -40,20 +35,15 @@ export const SCHEMA = {
}, },
'credential_collectors': { 'credential_collectors': {
'title': 'Credential collectors', 'title': 'Credential collectors',
'properties': { 'type': 'array',
'collectors': { 'uniqueItems': true,
'title': 'Credential collectors', 'items': {
'type': 'array', '$ref': '#/definitions/credential_collectors_classes'
'uniqueItems': true, },
'items': { 'default': [
'$ref': '#/definitions/credential_collectors_classes' 'MimikatzCollector',
}, 'SSHCollector'
'default': [ ]
'MimikatzCollector',
'SSHCollector'
]
}
}
}, },
'advanced': { 'advanced': {
'title': 'Advanced', 'title': 'Advanced',

View File

@ -1,6 +1,5 @@
export const customPBAConfigurationSchema = { export const customPBAConfigurationSchema = {
'title': 'Custom post-breach action', 'title': 'Custom PBA',
'type': 'object',
'properties': { 'properties': {
'linux_command': { 'linux_command': {
'title': 'Linux post-breach command', 'title': 'Linux post-breach command',
@ -14,7 +13,6 @@ export const customPBAConfigurationSchema = {
'linux_filename': { 'linux_filename': {
'title': 'Linux post-breach file', 'title': 'Linux post-breach file',
'type': 'string', 'type': 'string',
'format': 'data-url',
'description': 'File to be uploaded after braeaching. ' + 'description': 'File to be uploaded after braeaching. ' +
'Use the "Linux post-breach command" field to ' + 'Use the "Linux post-breach command" field to ' +
'change permissions, run, or delete the file. ' + 'change permissions, run, or delete the file. ' +
@ -32,7 +30,6 @@ export const customPBAConfigurationSchema = {
'windows_filename':{ 'windows_filename':{
'title': 'Windows post-breach file', 'title': 'Windows post-breach file',
'type': 'string', 'type': 'string',
'format': 'data-url',
'description': 'File to be uploaded after breaching. ' + 'description': 'File to be uploaded after breaching. ' +
'Use the "Windows post-breach command" filed to ' + 'Use the "Windows post-breach command" filed to ' +
'change permissions, run or delete the file. ' + 'change permissions, run or delete the file. ' +

View File

@ -11,13 +11,7 @@ export const exploitationConfigurationSchema = {
'uniqueItems': true, 'uniqueItems': true,
'items': { 'items': {
'$ref': '#/definitions/brute_force_classes' '$ref': '#/definitions/brute_force_classes'
}, }
'default': [
'SmbExploiter',
'WmiExploiter',
'SSHExploiter',
'MSSQLExploiter'
]
}, },
'vulnerability': { 'vulnerability': {
'title': 'Vulnerability Exploiters', 'title': 'Vulnerability Exploiters',
@ -25,11 +19,7 @@ export const exploitationConfigurationSchema = {
'uniqueItems': true, 'uniqueItems': true,
'items': { 'items': {
'$ref': '#/definitions/vulnerability_classes' '$ref': '#/definitions/vulnerability_classes'
}, }
'default': [
'Log4ShellExploiter',
'HadoopExploiter'
]
}, },
'options': exploitationOptionsConfigurationSchema 'options': exploitationOptionsConfigurationSchema
} }

View File

@ -0,0 +1,111 @@
export const postBreachActions = {
'title': 'Post-Breach Actions',
'description': 'Runs scripts/commands on infected machines. These actions safely simulate what ' +
'an adversary might do after breaching a new machine. Used in ATT&CK and Zero trust reports.',
'type': 'string',
'pluginDefs': {
'CommunicateAsBackdoorUser':{'name': 'CommunicateAsBackdoorUser', 'options':{}},
'ModifyShellStartupFiles':{'name': 'ModifyShellStartupFiles', 'options':{}},
'HiddenFiles':{'name': 'HiddenFiles', 'options':{}},
'TrapCommand':{'name': 'TrapCommand', 'options':{}},
'ChangeSetuidSetgid':{'name': 'ChangeSetuidSetgid', 'options':{}},
'ScheduleJobs':{'name': 'ScheduleJobs', 'options':{}},
'Timestomping':{'name': 'Timestomping', 'options':{}},
'SignedScriptProxyExecution':{'name': 'SignedScriptProxyExecution', 'options':{}},
'AccountDiscovery':{'name': 'AccountDiscovery', 'options':{}},
'ClearCommandHistory':{'name': 'ClearCommandHistory', 'options':{}},
'ProcessListCollection':{'name': 'ProcessListCollection', 'options':{}}
},
'anyOf': [
{
'type': 'string',
'enum': ['CommunicateAsBackdoorUser'],
'title': 'Communicate as Backdoor User',
'safe': true,
'info': 'Attempts to create a new user, create HTTPS requests as that ' +
'user and delete the user ' +
'afterwards.'
},
{
'type': 'string',
'enum': ['ModifyShellStartupFiles'],
'title': 'Modify Shell Startup Files',
'safe': true,
'info': 'Attempts to modify shell startup files, like ~/.profile, ' +
'~/.bashrc, ~/.bash_profile ' +
'in linux, and profile.ps1 in windows. Reverts modifications done' +
' afterwards.'
},
{
'type': 'string',
'enum': ['HiddenFiles'],
'title': 'Hidden Files and Directories',
'safe': true,
'info': 'Attempts to create a hidden file and remove it afterward.'
},
{
'type': 'string',
'enum': ['TrapCommand'],
'title': 'Trap Command',
'safe': true,
'info': 'On Linux systems, attempts to trap a terminate signal in order ' +
'to execute a command upon receiving that signal. Removes the trap afterwards.'
},
{
'type': 'string',
'enum': ['ChangeSetuidSetgid'],
'title': 'Setuid and Setgid',
'safe': true,
'info': 'On Linux systems, attempts to set the setuid and setgid bits of ' +
'a new file. ' +
'Removes the file afterwards.',
'attack_techniques': ['T1166']
},
{
'type': 'string',
'enum': ['ScheduleJobs'],
'title': 'Job Scheduling',
'safe': true,
'info': 'Attempts to create a scheduled job on the system and remove it.'
},
{
'type': 'string',
'enum': ['Timestomping'],
'title': 'Timestomping',
'safe': true,
'info': 'Creates a temporary file and attempts to modify its time ' +
'attributes. Removes the file afterwards.'
},
{
'type': 'string',
'enum': ['SignedScriptProxyExecution'],
'title': 'Signed Script Proxy Execution',
'safe': false,
'info': 'On Windows systems, attempts to execute an arbitrary file ' +
'with the help of a pre-existing signed script.'
},
{
'type': 'string',
'enum': ['AccountDiscovery'],
'title': 'Account Discovery',
'safe': true,
'info': 'Attempts to get a listing of user accounts on the system.'
},
{
'type': 'string',
'enum': ['ClearCommandHistory'],
'title': 'Clear Command History',
'safe': false,
'info': 'Attempts to clear the command history.'
},
{
'type': 'string',
'enum': ['ProcessListCollection'],
'title': 'Process List Collector',
'safe': true,
'info': 'Collects a list of running processes on the machine.'
}
]
}