diff --git a/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py b/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py index 2edfefeac..67c600a5d 100644 --- a/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py +++ b/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py @@ -1,7 +1,12 @@ -from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import \ - get_linux_commands_to_clear_command_history +from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import ( + get_linux_command_history_files, + get_linux_commands_to_clear_command_history, get_linux_usernames) def get_commands_to_clear_command_history(): - linux_cmds = get_linux_commands_to_clear_command_history() - return linux_cmds + (linux_cmds, + linux_cmd_hist_files, + linux_usernames) = (get_linux_commands_to_clear_command_history(), + get_linux_command_history_files(), + get_linux_usernames()) + return linux_cmds, linux_cmd_hist_files, linux_usernames diff --git a/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py b/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py index c48ccc389..a3545f124 100644 --- a/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py +++ b/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py @@ -2,21 +2,31 @@ import subprocess from infection_monkey.utils.environment import is_windows_os -TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file' - def get_linux_commands_to_clear_command_history(): if is_windows_os(): - return '', [], [] + return '' + + TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file' + + return [ + '3<{0} 3<&- && ', # check for existence of file + 'cat {0} ' # copy contents of history file to... + f'> {TEMP_HIST_FILE} && ', # ...temporary file + 'echo > {0} && ', # clear contents of file + 'echo \"Successfully cleared {0}\" && ', # if successfully cleared + f'cat {TEMP_HIST_FILE} ', # restore history file back with... + '> {0} ;' # ...original contents + f'rm {TEMP_HIST_FILE} -f' # remove temp history file + ] + + +def get_linux_command_history_files(): + if is_windows_os(): + return [] HOME_DIR = "/home/" - # get list of usernames - USERS = subprocess.check_output( # noqa: DUO116 - "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1", - shell=True - ).decode().split('\n')[:-1] - # get list of paths of different shell history files (default values) with place for username STARTUP_FILES = [ file_path.format(HOME_DIR) for file_path in @@ -29,13 +39,17 @@ def get_linux_commands_to_clear_command_history(): ] ] - return [ - '3<{0} 3<&- && ', # check for existence of file - 'cat {0} ' # copy contents of history file to... - f'> {TEMP_HIST_FILE} && ', # ...temporary file - 'echo > {0} && ', # clear contents of file - 'echo \"Successfully cleared {0}\" && ', # if successfully cleared - f'cat {TEMP_HIST_FILE} ', # restore history file back with... - '> {0} ;' # ...original contents - f'rm {TEMP_HIST_FILE} -f' # remove temp history file - ], STARTUP_FILES, USERS + return STARTUP_FILES + + +def get_linux_usernames(): + if is_windows_os(): + return [] + + # get list of usernames + USERS = subprocess.check_output( # noqa: DUO116 + "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1", + shell=True + ).decode().split('\n')[:-1] + + return USERS diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index 501f4da24..ab8eebe49 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -171,7 +171,7 @@ SCHEMA = { "T1146": { "title": "Clear command history", "type": "bool", - "value": True, + "value": False, "necessary": False, "link": "https://attack.mitre.org/techniques/T1146", "description": "Adversaries may clear/disable command history of a compromised " diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py index fe7519f97..cacbe6789 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py @@ -7,9 +7,9 @@ __author__ = "shreyamalviya" class T1146(PostBreachTechnique): tech_id = "T1146" - unscanned_msg = "Monkey didn't try clearing/disabling the command history since it didn't run on any Linux machines." - scanned_msg = "Monkey tried clearing/disabling the command history but failed." - used_msg = "Monkey successfully cleared/disabled the command history." + unscanned_msg = "Monkey didn't try clearing the command history since it didn't run on any Linux machines." + scanned_msg = "Monkey tried clearing the command history but failed." + used_msg = "Monkey successfully cleared the command history (and then restored it back)." pba_names = [POST_BREACH_CLEAR_CMD_HISTORY] @staticmethod diff --git a/monkey/monkey_island/cc/services/config_schema/monkey.py b/monkey/monkey_island/cc/services/config_schema/monkey.py index 92a5bb828..dd10cb35b 100644 --- a/monkey/monkey_island/cc/services/config_schema/monkey.py +++ b/monkey/monkey_island/cc/services/config_schema/monkey.py @@ -67,8 +67,7 @@ MONKEY = { "HiddenFiles", "TrapCommand", "ChangeSetuidSetgid", - "ScheduleJobs", - "ClearCommandHistory" + "ScheduleJobs" ] }, } diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js index d1c9c01ae..4bb420f71 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js @@ -56,7 +56,7 @@ function aggregateMultipleResultsPba(results) { return results; // if modifications were made, push aggregated results to `results` and return - results = results.filter(result => result.name !== SHELL_STARTUP_NAME && result.name !== CMD_HISTORY_NAME); + results = results.filter(result => !multipleResultsPbas.includes(result.name)); multipleResultsPbas.forEach(pba => checkAggregatedResults(pba)); return results; }