From f2527b4d89315810a5c0362737e7862ba239728c Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 19 Apr 2022 21:37:24 +0200 Subject: [PATCH 1/6] Agent: Change windows removal command --- monkey/infection_monkey/model/__init__.py | 13 +++++++++++-- monkey/infection_monkey/monkey.py | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/monkey/infection_monkey/model/__init__.py b/monkey/infection_monkey/model/__init__.py index 3d53b5d86..ce71fb05e 100644 --- a/monkey/infection_monkey/model/__init__.py +++ b/monkey/infection_monkey/model/__init__.py @@ -28,9 +28,18 @@ MONKEY_CMDLINE_DETACHED_WINDOWS = "%s start cmd /c %%(monkey_path)s %s" % ( CMD_PREFIX, MONKEY_ARG, ) +# Time for delay deleting monkey executable +DELAY_SECONDS = 5 +# Command that returns 1 if the process is running and 0 otherwise +CHECK_RUNNING_MONKEY_CMD = 'tasklist /fi "PID eq %(exe_pid)s" ^| find /C "%(exe_pid)s"' +DELETE_FILE_AND_EXIT = "del /f /q %(file_path)s & exit" +# Command that checks for running monkey process 20 times +# If the monkey is running it sleeps for 'delay_seconds' +# If the monkey is not running it deletes the executable and exits the loop DELAY_DELETE_CMD = ( - "cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & " - "if not exist %(file_path)s exit)) > NUL 2>&1 " + f'cmd /c (for /l %%i in (1,1,20) do (for /F "delims=" %%j IN ' + f'(\'{CHECK_RUNNING_MONKEY_CMD}\') DO if "%%j"=="1" (timeout {DELAY_SECONDS}) else ' + f"({DELETE_FILE_AND_EXIT})) ) > NUL 2>&1" ) # Commands used for downloading monkeys diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index e3d71a2f1..877147ed4 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -415,7 +415,7 @@ class InfectionMonkey: startupinfo.dwFlags = CREATE_NEW_CONSOLE | STARTF_USESHOWWINDOW startupinfo.wShowWindow = SW_HIDE subprocess.Popen( - DELAY_DELETE_CMD % {"file_path": sys.executable}, + DELAY_DELETE_CMD % {"file_path": sys.executable, "exe_pid": os.getpid()}, stdin=None, stdout=None, stderr=None, From 2568a46790db8b105565cacb5cfa331e93fd50fe Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 20 Apr 2022 09:52:20 +0200 Subject: [PATCH 2/6] Changelog: Add entry for fixing windows self deleting executable --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d40d5bfe..8619ce57e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -79,7 +79,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). script proxy execution PBA was disabled. #1864 - Unnecessary collection of kerberos credentials. #1771 - A bug where bogus users were collected by Mimikatz and added to the config. #1860 - +- A bug where windows executable was not self deleting. #1763 ### Security - Change SSH exploiter so that it does not set the permissions of the agent From c2e01eaea7503d4752ac28312f5e5684628fbb68 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 20 Apr 2022 07:45:10 -0400 Subject: [PATCH 3/6] Agent: Refactor InfectionMonkey._self_delete() --- monkey/infection_monkey/monkey.py | 68 ++++++++++++++++++------------- 1 file changed, 40 insertions(+), 28 deletions(-) diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index 877147ed4..b843ec1b3 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -3,6 +3,7 @@ import logging import os import subprocess import sys +from pathlib import Path from typing import List import infection_monkey.tunnel as tunnel @@ -401,35 +402,46 @@ class InfectionMonkey: @staticmethod def _self_delete() -> bool: + InfectionMonkey._remove_monkey_dir() + + if "python" in Path(sys.executable).name: + return False + + try: + if "win32" == sys.platform: + InfectionMonkey._self_delete_windows() + else: + InfectionMonkey._self_delete_linux() + + T1107Telem(ScanStatus.USED, sys.executable).send() + return True + except Exception as exc: + logger.error("Exception in self delete: %s", exc) + T1107Telem(ScanStatus.SCANNED, sys.executable).send() + + return False + + @staticmethod + def _remove_monkey_dir(): status = ScanStatus.USED if remove_monkey_dir() else ScanStatus.SCANNED T1107Telem(status, get_monkey_dir_path()).send() - deleted = False - if -1 == sys.executable.find("python"): - try: - status = None - if "win32" == sys.platform: - from subprocess import CREATE_NEW_CONSOLE, STARTF_USESHOWWINDOW, SW_HIDE + @staticmethod + def _self_delete_windows(): + from subprocess import CREATE_NEW_CONSOLE, STARTF_USESHOWWINDOW, SW_HIDE - startupinfo = subprocess.STARTUPINFO() - startupinfo.dwFlags = CREATE_NEW_CONSOLE | STARTF_USESHOWWINDOW - startupinfo.wShowWindow = SW_HIDE - subprocess.Popen( - DELAY_DELETE_CMD % {"file_path": sys.executable, "exe_pid": os.getpid()}, - stdin=None, - stdout=None, - stderr=None, - close_fds=True, - startupinfo=startupinfo, - ) - deleted = True - else: - os.remove(sys.executable) - status = ScanStatus.USED - deleted = True - except Exception as exc: - logger.error("Exception in self delete: %s", exc) - status = ScanStatus.SCANNED - if status: - T1107Telem(status, sys.executable).send() - return deleted + startupinfo = subprocess.STARTUPINFO() + startupinfo.dwFlags = CREATE_NEW_CONSOLE | STARTF_USESHOWWINDOW + startupinfo.wShowWindow = SW_HIDE + subprocess.Popen( + DELAY_DELETE_CMD % {"file_path": sys.executable, "exe_pid": os.getpid()}, + stdin=None, + stdout=None, + stderr=None, + close_fds=True, + startupinfo=startupinfo, + ) + + @staticmethod + def _self_delete_linux(): + os.remove(sys.executable) From 838848bc3ae5fdf405301d09652638b34af02f7b Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 20 Apr 2022 14:10:40 +0200 Subject: [PATCH 4/6] Agent: Move delay delete commands to monkey.py --- monkey/infection_monkey/model/__init__.py | 13 ------- monkey/infection_monkey/monkey.py | 41 +++++++++++++++++++---- 2 files changed, 35 insertions(+), 19 deletions(-) diff --git a/monkey/infection_monkey/model/__init__.py b/monkey/infection_monkey/model/__init__.py index ce71fb05e..138dbf92a 100644 --- a/monkey/infection_monkey/model/__init__.py +++ b/monkey/infection_monkey/model/__init__.py @@ -28,19 +28,6 @@ MONKEY_CMDLINE_DETACHED_WINDOWS = "%s start cmd /c %%(monkey_path)s %s" % ( CMD_PREFIX, MONKEY_ARG, ) -# Time for delay deleting monkey executable -DELAY_SECONDS = 5 -# Command that returns 1 if the process is running and 0 otherwise -CHECK_RUNNING_MONKEY_CMD = 'tasklist /fi "PID eq %(exe_pid)s" ^| find /C "%(exe_pid)s"' -DELETE_FILE_AND_EXIT = "del /f /q %(file_path)s & exit" -# Command that checks for running monkey process 20 times -# If the monkey is running it sleeps for 'delay_seconds' -# If the monkey is not running it deletes the executable and exits the loop -DELAY_DELETE_CMD = ( - f'cmd /c (for /l %%i in (1,1,20) do (for /F "delims=" %%j IN ' - f'(\'{CHECK_RUNNING_MONKEY_CMD}\') DO if "%%j"=="1" (timeout {DELAY_SECONDS}) else ' - f"({DELETE_FILE_AND_EXIT})) ) > NUL 2>&1" -) # Commands used for downloading monkeys POWERSHELL_HTTP_UPLOAD = ( diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index b843ec1b3..cd3c1d572 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -29,7 +29,7 @@ from infection_monkey.exploit.zerologon import ZerologonExploiter from infection_monkey.i_puppet import IPuppet, PluginType from infection_monkey.master import AutomatedMaster from infection_monkey.master.control_channel import ControlChannel -from infection_monkey.model import DELAY_DELETE_CMD, VictimHostFactory +from infection_monkey.model import VictimHostFactory from infection_monkey.network import NetworkInterface from infection_monkey.network.firewall import app as firewall from infection_monkey.network.info import get_local_network_interfaces @@ -428,13 +428,11 @@ class InfectionMonkey: @staticmethod def _self_delete_windows(): - from subprocess import CREATE_NEW_CONSOLE, STARTF_USESHOWWINDOW, SW_HIDE + delay_delete_cmd = InfectionMonkey._build_windows_delete_command() - startupinfo = subprocess.STARTUPINFO() - startupinfo.dwFlags = CREATE_NEW_CONSOLE | STARTF_USESHOWWINDOW - startupinfo.wShowWindow = SW_HIDE + startupinfo = InfectionMonkey._get_startup_info() subprocess.Popen( - DELAY_DELETE_CMD % {"file_path": sys.executable, "exe_pid": os.getpid()}, + delay_delete_cmd, stdin=None, stdout=None, stderr=None, @@ -442,6 +440,37 @@ class InfectionMonkey: startupinfo=startupinfo, ) + @staticmethod + def _build_windows_delete_command() -> str: + # Time for delay deleting monkey executable + delay_seconds = 5 + + monkey_pid = os.getpid() + monkey_file_path = sys.executable + # Command that returns 1 if the process is running and 0 otherwise + check_running_monkey_cmd = f'tasklist /fi "PID eq {monkey_pid}" ^| find /C "{monkey_pid}"' + delete_file_and_exit_cmd = f"del /f /q {monkey_file_path} & exit" + # Command that checks for running monkey process 20 times + # If the monkey is running it sleeps for 'delay_seconds' + # If the monkey is not running it deletes the executable and exits the loop + delay_delete_cmd = ( + f'cmd /c (for /l %i in (1,1,20) do (for /F "delims=" %j IN ' + f'(\'{check_running_monkey_cmd}\') DO if "%j"=="1" (timeout {delay_seconds}) else ' + f"({delete_file_and_exit_cmd})) ) > NUL 2>&1" + ) + + return delay_delete_cmd + + @staticmethod + def _get_startup_info(): + from subprocess import CREATE_NEW_CONSOLE, STARTF_USESHOWWINDOW, SW_HIDE + + startupinfo = subprocess.STARTUPINFO() + startupinfo.dwFlags = CREATE_NEW_CONSOLE | STARTF_USESHOWWINDOW + startupinfo.wShowWindow = SW_HIDE + + return startupinfo + @staticmethod def _self_delete_linux(): os.remove(sys.executable) From 6d51f17f29d7acfbac4e5bc952070901c5cec341 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 20 Apr 2022 11:08:40 -0400 Subject: [PATCH 5/6] Agent: Improve whitespace and formatting in _self_delete_windows() --- monkey/infection_monkey/monkey.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index cd3c1d572..de1db5ab8 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -429,8 +429,8 @@ class InfectionMonkey: @staticmethod def _self_delete_windows(): delay_delete_cmd = InfectionMonkey._build_windows_delete_command() - startupinfo = InfectionMonkey._get_startup_info() + subprocess.Popen( delay_delete_cmd, stdin=None, @@ -442,14 +442,15 @@ class InfectionMonkey: @staticmethod def _build_windows_delete_command() -> str: - # Time for delay deleting monkey executable - delay_seconds = 5 - monkey_pid = os.getpid() monkey_file_path = sys.executable + + # Time for delay deleting monkey executable + delay_seconds = 5 # Command that returns 1 if the process is running and 0 otherwise check_running_monkey_cmd = f'tasklist /fi "PID eq {monkey_pid}" ^| find /C "{monkey_pid}"' delete_file_and_exit_cmd = f"del /f /q {monkey_file_path} & exit" + # Command that checks for running monkey process 20 times # If the monkey is running it sleeps for 'delay_seconds' # If the monkey is not running it deletes the executable and exits the loop From 53d1c55bbae86d9869a33f054f7d85600b6455ae Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 20 Apr 2022 11:18:29 -0400 Subject: [PATCH 6/6] Agent: Refactor InfectionMonkey._build_windows_delete_command() * Replace references to "monkey" with "agent" * Improve comments --- monkey/infection_monkey/monkey.py | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py index de1db5ab8..8d01b3b9d 100644 --- a/monkey/infection_monkey/monkey.py +++ b/monkey/infection_monkey/monkey.py @@ -442,25 +442,26 @@ class InfectionMonkey: @staticmethod def _build_windows_delete_command() -> str: - monkey_pid = os.getpid() - monkey_file_path = sys.executable + agent_pid = os.getpid() + agent_file_path = sys.executable - # Time for delay deleting monkey executable - delay_seconds = 5 - # Command that returns 1 if the process is running and 0 otherwise - check_running_monkey_cmd = f'tasklist /fi "PID eq {monkey_pid}" ^| find /C "{monkey_pid}"' - delete_file_and_exit_cmd = f"del /f /q {monkey_file_path} & exit" + # Returns 1 if the process is running and 0 otherwise + check_running_agent_cmd = f'tasklist /fi "PID eq {agent_pid}" ^| find /C "{agent_pid}"' - # Command that checks for running monkey process 20 times - # If the monkey is running it sleeps for 'delay_seconds' - # If the monkey is not running it deletes the executable and exits the loop - delay_delete_cmd = ( + sleep_seconds = 5 + delete_file_and_exit_cmd = f"del /f /q {agent_file_path} & exit" + + # Checks if the agent process is still running. + # If the agent is still running, it sleeps for 'sleep_seconds' before checking again. + # If the agent is not running, it deletes the executable and exits the loop. + # The check runs up to 20 times to give the agent ample time to shutdown. + delete_agent_cmd = ( f'cmd /c (for /l %i in (1,1,20) do (for /F "delims=" %j IN ' - f'(\'{check_running_monkey_cmd}\') DO if "%j"=="1" (timeout {delay_seconds}) else ' + f'(\'{check_running_agent_cmd}\') DO if "%j"=="1" (timeout {sleep_seconds}) else ' f"({delete_file_and_exit_cmd})) ) > NUL 2>&1" ) - return delay_delete_cmd + return delete_agent_cmd @staticmethod def _get_startup_info():