forked from p15670423/monkey
Mimikatz, Azure collectors moved to system info collectors in config, "Behaviour" renamed to "Post breach" in config
This commit is contained in:
parent
8b2797306b
commit
2c96ace908
|
@ -2,3 +2,5 @@ AWS_COLLECTOR = "AwsCollector"
|
||||||
HOSTNAME_COLLECTOR = "HostnameCollector"
|
HOSTNAME_COLLECTOR = "HostnameCollector"
|
||||||
ENVIRONMENT_COLLECTOR = "EnvironmentCollector"
|
ENVIRONMENT_COLLECTOR = "EnvironmentCollector"
|
||||||
PROCESS_LIST_COLLECTOR = "ProcessListCollector"
|
PROCESS_LIST_COLLECTOR = "ProcessListCollector"
|
||||||
|
MIMIKATZ_COLLECTOR = "MimikatzCollector"
|
||||||
|
AZURE_CRED_COLLECTOR = "AzureCollector"
|
||||||
|
|
|
@ -267,16 +267,6 @@ class Configuration(object):
|
||||||
# Shares to not check if they're writable.
|
# Shares to not check if they're writable.
|
||||||
sambacry_shares_not_to_check = ["IPC$", "print$"]
|
sambacry_shares_not_to_check = ["IPC$", "print$"]
|
||||||
|
|
||||||
# system info collection
|
|
||||||
collect_system_info = True
|
|
||||||
should_use_mimikatz = True
|
|
||||||
|
|
||||||
###########################
|
|
||||||
# systeminfo config
|
|
||||||
###########################
|
|
||||||
|
|
||||||
extract_azure_creds = True
|
|
||||||
|
|
||||||
###########################
|
###########################
|
||||||
# post breach actions
|
# post breach actions
|
||||||
###########################
|
###########################
|
||||||
|
|
|
@ -190,7 +190,8 @@ class InfectionMonkey(object):
|
||||||
if self._default_server:
|
if self._default_server:
|
||||||
if self._network.on_island(self._default_server):
|
if self._network.on_island(self._default_server):
|
||||||
machine.set_default_server(get_interface_to_target(machine.ip_addr) +
|
machine.set_default_server(get_interface_to_target(machine.ip_addr) +
|
||||||
(':' + self._default_server_port if self._default_server_port else ''))
|
(
|
||||||
|
':' + self._default_server_port if self._default_server_port else ''))
|
||||||
else:
|
else:
|
||||||
machine.set_default_server(self._default_server)
|
machine.set_default_server(self._default_server)
|
||||||
LOG.debug("Default server for machine: %r set to %s" % (machine, machine.default_server))
|
LOG.debug("Default server for machine: %r set to %s" % (machine, machine.default_server))
|
||||||
|
@ -241,11 +242,10 @@ class InfectionMonkey(object):
|
||||||
LOG.debug("Running with depth: %d" % WormConfiguration.depth)
|
LOG.debug("Running with depth: %d" % WormConfiguration.depth)
|
||||||
|
|
||||||
def collect_system_info_if_configured(self):
|
def collect_system_info_if_configured(self):
|
||||||
if WormConfiguration.collect_system_info:
|
LOG.debug("Calling system info collection")
|
||||||
LOG.debug("Calling system info collection")
|
system_info_collector = SystemInfoCollector()
|
||||||
system_info_collector = SystemInfoCollector()
|
system_info = system_info_collector.get_info()
|
||||||
system_info = system_info_collector.get_info()
|
SystemInfoTelem(system_info).send()
|
||||||
SystemInfoTelem(system_info).send()
|
|
||||||
|
|
||||||
def shutdown_by_not_alive_config(self):
|
def shutdown_by_not_alive_config(self):
|
||||||
if not WormConfiguration.alive:
|
if not WormConfiguration.alive:
|
||||||
|
@ -386,7 +386,8 @@ class InfectionMonkey(object):
|
||||||
:raises PlannedShutdownException if couldn't find the server.
|
:raises PlannedShutdownException if couldn't find the server.
|
||||||
"""
|
"""
|
||||||
if not ControlClient.find_server(default_tunnel=self._default_tunnel):
|
if not ControlClient.find_server(default_tunnel=self._default_tunnel):
|
||||||
raise PlannedShutdownException("Monkey couldn't find server with {} default tunnel.".format(self._default_tunnel))
|
raise PlannedShutdownException(
|
||||||
|
"Monkey couldn't find server with {} default tunnel.".format(self._default_tunnel))
|
||||||
self._default_server = WormConfiguration.current_server
|
self._default_server = WormConfiguration.current_server
|
||||||
LOG.debug("default server set to: %s" % self._default_server)
|
LOG.debug("default server set to: %s" % self._default_server)
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ from enum import IntEnum
|
||||||
|
|
||||||
import psutil
|
import psutil
|
||||||
|
|
||||||
|
from common.data.system_info_collectors_names import AZURE_CRED_COLLECTOR
|
||||||
from infection_monkey.network.info import get_host_subnets
|
from infection_monkey.network.info import get_host_subnets
|
||||||
from infection_monkey.system_info.azure_cred_collector import AzureCollector
|
from infection_monkey.system_info.azure_cred_collector import AzureCollector
|
||||||
from infection_monkey.system_info.netstat_collector import NetstatCollector
|
from infection_monkey.system_info.netstat_collector import NetstatCollector
|
||||||
|
@ -91,7 +92,7 @@ class InfoCollector(object):
|
||||||
# noinspection PyBroadException
|
# noinspection PyBroadException
|
||||||
try:
|
try:
|
||||||
from infection_monkey.config import WormConfiguration
|
from infection_monkey.config import WormConfiguration
|
||||||
if not WormConfiguration.extract_azure_creds:
|
if AZURE_CRED_COLLECTOR not in WormConfiguration.system_info_collector_classes:
|
||||||
return
|
return
|
||||||
LOG.debug("Harvesting creds if on an Azure machine")
|
LOG.debug("Harvesting creds if on an Azure machine")
|
||||||
azure_collector = AzureCollector()
|
azure_collector = AzureCollector()
|
||||||
|
|
|
@ -2,6 +2,7 @@ import logging
|
||||||
import os
|
import os
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
from common.data.system_info_collectors_names import MIMIKATZ_COLLECTOR
|
||||||
from infection_monkey.system_info.windows_cred_collector.mimikatz_cred_collector import \
|
from infection_monkey.system_info.windows_cred_collector.mimikatz_cred_collector import \
|
||||||
MimikatzCredentialCollector
|
MimikatzCredentialCollector
|
||||||
|
|
||||||
|
@ -44,7 +45,7 @@ class WindowsInfoCollector(InfoCollector):
|
||||||
# TODO: Think about returning self.get_wmi_info()
|
# TODO: Think about returning self.get_wmi_info()
|
||||||
self.get_installed_packages()
|
self.get_installed_packages()
|
||||||
from infection_monkey.config import WormConfiguration
|
from infection_monkey.config import WormConfiguration
|
||||||
if WormConfiguration.should_use_mimikatz:
|
if MIMIKATZ_COLLECTOR in WormConfiguration.system_info_collector_classes:
|
||||||
self.get_mimikatz_info()
|
self.get_mimikatz_info()
|
||||||
|
|
||||||
return self.info
|
return self.info
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
from common.data.system_info_collectors_names import (AWS_COLLECTOR,
|
from common.data.system_info_collectors_names import (AWS_COLLECTOR,
|
||||||
ENVIRONMENT_COLLECTOR,
|
ENVIRONMENT_COLLECTOR,
|
||||||
HOSTNAME_COLLECTOR,
|
HOSTNAME_COLLECTOR,
|
||||||
PROCESS_LIST_COLLECTOR)
|
PROCESS_LIST_COLLECTOR,
|
||||||
|
MIMIKATZ_COLLECTOR,
|
||||||
|
AZURE_CRED_COLLECTOR)
|
||||||
|
|
||||||
SYSTEM_INFO_COLLECTOR_CLASSES = {
|
SYSTEM_INFO_COLLECTOR_CLASSES = {
|
||||||
"title": "System Information Collectors",
|
"title": "System Information Collectors",
|
||||||
|
@ -15,7 +17,16 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
|
||||||
],
|
],
|
||||||
"title": "Environment collector",
|
"title": "Environment collector",
|
||||||
"info": "Collects information about machine's environment (on premise/GCP/AWS).",
|
"info": "Collects information about machine's environment (on premise/GCP/AWS).",
|
||||||
"attack_techniques": []
|
"attack_techniques": ["T1082"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
MIMIKATZ_COLLECTOR
|
||||||
|
],
|
||||||
|
"title": "Mimikatz collector",
|
||||||
|
"info": "Collects credentials from Windows credential manager.",
|
||||||
|
"attack_techniques": ["T1003", "T1005"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
|
@ -24,7 +35,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
|
||||||
],
|
],
|
||||||
"title": "AWS collector",
|
"title": "AWS collector",
|
||||||
"info": "If on AWS, collects more information about the AWS instance currently running on.",
|
"info": "If on AWS, collects more information about the AWS instance currently running on.",
|
||||||
"attack_techniques": []
|
"attack_techniques": ["T1082"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
|
@ -33,7 +44,7 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
|
||||||
],
|
],
|
||||||
"title": "Hostname collector",
|
"title": "Hostname collector",
|
||||||
"info": "Collects machine's hostname.",
|
"info": "Collects machine's hostname.",
|
||||||
"attack_techniques": []
|
"attack_techniques": ["T1082", "T1016"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
|
@ -42,7 +53,16 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
|
||||||
],
|
],
|
||||||
"title": "Process list collector",
|
"title": "Process list collector",
|
||||||
"info": "Collects a list of running processes on the machine.",
|
"info": "Collects a list of running processes on the machine.",
|
||||||
"attack_techniques": []
|
"attack_techniques": ["T1082"]
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"type": "string",
|
||||||
|
"enum": [
|
||||||
|
AZURE_CRED_COLLECTOR
|
||||||
|
],
|
||||||
|
"title": "Azure credential collector",
|
||||||
|
"info": "Collects password credentials from Azure VMs",
|
||||||
|
"attack_techniques": ["T1003", "T1005"]
|
||||||
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,6 +34,30 @@ INTERNAL = {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"monkey": {
|
||||||
|
"title": "Monkey",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"self_delete_in_cleanup": {
|
||||||
|
"title": "Self delete on cleanup",
|
||||||
|
"type": "boolean",
|
||||||
|
"default": True,
|
||||||
|
"description": "Should the monkey delete its executable when going down"
|
||||||
|
},
|
||||||
|
"use_file_logging": {
|
||||||
|
"title": "Use file logging",
|
||||||
|
"type": "boolean",
|
||||||
|
"default": True,
|
||||||
|
"description": "Should the monkey dump to a log file"
|
||||||
|
},
|
||||||
|
"serialize_config": {
|
||||||
|
"title": "Serialize config",
|
||||||
|
"type": "boolean",
|
||||||
|
"default": False,
|
||||||
|
"description": "Should the monkey dump its config on startup"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
"classes": {
|
"classes": {
|
||||||
"title": "Classes",
|
"title": "Classes",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
|
|
@ -2,7 +2,7 @@ from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN
|
||||||
from common.data.system_info_collectors_names import (AWS_COLLECTOR,
|
from common.data.system_info_collectors_names import (AWS_COLLECTOR,
|
||||||
ENVIRONMENT_COLLECTOR,
|
ENVIRONMENT_COLLECTOR,
|
||||||
HOSTNAME_COLLECTOR,
|
HOSTNAME_COLLECTOR,
|
||||||
PROCESS_LIST_COLLECTOR)
|
PROCESS_LIST_COLLECTOR, MIMIKATZ_COLLECTOR, AZURE_CRED_COLLECTOR)
|
||||||
|
|
||||||
MONKEY = {
|
MONKEY = {
|
||||||
"title": "Monkey",
|
"title": "Monkey",
|
||||||
|
@ -18,27 +18,10 @@ MONKEY = {
|
||||||
"default": True,
|
"default": True,
|
||||||
"description": "Is the monkey alive"
|
"description": "Is the monkey alive"
|
||||||
},
|
},
|
||||||
"post_breach_actions": {
|
|
||||||
"title": "Post breach actions",
|
|
||||||
"type": "array",
|
|
||||||
"uniqueItems": True,
|
|
||||||
"items": {
|
|
||||||
"$ref": "#/definitions/post_breach_actions"
|
|
||||||
},
|
|
||||||
"default": [
|
|
||||||
"BackdoorUser",
|
|
||||||
"CommunicateAsNewUser",
|
|
||||||
"ModifyShellStartupFiles",
|
|
||||||
"HiddenFiles",
|
|
||||||
"TrapCommand",
|
|
||||||
"ChangeSetuidSetgid",
|
|
||||||
"ScheduleJobs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"behaviour": {
|
"post_breach": {
|
||||||
"title": "Behaviour",
|
"title": "Post breach",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"custom_PBA_linux_cmd": {
|
"custom_PBA_linux_cmd": {
|
||||||
|
@ -81,52 +64,29 @@ MONKEY = {
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"default": ""
|
"default": ""
|
||||||
},
|
},
|
||||||
"self_delete_in_cleanup": {
|
"post_breach_actions": {
|
||||||
"title": "Self delete on cleanup",
|
"title": "Post breach actions",
|
||||||
"type": "boolean",
|
"type": "array",
|
||||||
"default": True,
|
"uniqueItems": True,
|
||||||
"description": "Should the monkey delete its executable when going down"
|
"items": {
|
||||||
|
"$ref": "#/definitions/post_breach_actions"
|
||||||
|
},
|
||||||
|
"default": [
|
||||||
|
"BackdoorUser",
|
||||||
|
"CommunicateAsNewUser",
|
||||||
|
"ModifyShellStartupFiles",
|
||||||
|
"HiddenFiles",
|
||||||
|
"TrapCommand",
|
||||||
|
"ChangeSetuidSetgid",
|
||||||
|
"ScheduleJobs"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"use_file_logging": {
|
|
||||||
"title": "Use file logging",
|
|
||||||
"type": "boolean",
|
|
||||||
"default": True,
|
|
||||||
"description": "Should the monkey dump to a log file"
|
|
||||||
},
|
|
||||||
"serialize_config": {
|
|
||||||
"title": "Serialize config",
|
|
||||||
"type": "boolean",
|
|
||||||
"default": False,
|
|
||||||
"description": "Should the monkey dump its config on startup"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"system_info": {
|
"system_info": {
|
||||||
"title": "System info",
|
"title": "System info",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"extract_azure_creds": {
|
|
||||||
"title": "Harvest Azure Credentials",
|
|
||||||
"type": "boolean",
|
|
||||||
"default": True,
|
|
||||||
"attack_techniques": ["T1003"],
|
|
||||||
"description":
|
|
||||||
"Determine if the Monkey should try to harvest password credentials from Azure VMs"
|
|
||||||
},
|
|
||||||
"collect_system_info": {
|
|
||||||
"title": "Collect system info",
|
|
||||||
"type": "boolean",
|
|
||||||
"default": True,
|
|
||||||
"attack_techniques": ["T1082", "T1005", "T1016"],
|
|
||||||
"description": "Determines whether to collect system info"
|
|
||||||
},
|
|
||||||
"should_use_mimikatz": {
|
|
||||||
"title": "Should use Mimikatz",
|
|
||||||
"type": "boolean",
|
|
||||||
"default": True,
|
|
||||||
"attack_techniques": ["T1003"],
|
|
||||||
"description": "Determines whether to use Mimikatz"
|
|
||||||
},
|
|
||||||
"system_info_collector_classes": {
|
"system_info_collector_classes": {
|
||||||
"title": "System info collectors",
|
"title": "System info collectors",
|
||||||
"type": "array",
|
"type": "array",
|
||||||
|
@ -138,7 +98,9 @@ MONKEY = {
|
||||||
ENVIRONMENT_COLLECTOR,
|
ENVIRONMENT_COLLECTOR,
|
||||||
AWS_COLLECTOR,
|
AWS_COLLECTOR,
|
||||||
HOSTNAME_COLLECTOR,
|
HOSTNAME_COLLECTOR,
|
||||||
PROCESS_LIST_COLLECTOR
|
PROCESS_LIST_COLLECTOR,
|
||||||
|
MIMIKATZ_COLLECTOR,
|
||||||
|
AZURE_CRED_COLLECTOR
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,8 +9,8 @@ __author__ = "VakarisZ"
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
# Where to find file names in config
|
# Where to find file names in config
|
||||||
PBA_WINDOWS_FILENAME_PATH = ['monkey', 'behaviour', 'PBA_windows_filename']
|
PBA_WINDOWS_FILENAME_PATH = ['monkey', 'post_breach', 'PBA_windows_filename']
|
||||||
PBA_LINUX_FILENAME_PATH = ['monkey', 'behaviour', 'PBA_linux_filename']
|
PBA_LINUX_FILENAME_PATH = ['monkey', 'post_breach', 'PBA_linux_filename']
|
||||||
UPLOADS_DIR = Path('monkey_island', 'cc', 'userUploads')
|
UPLOADS_DIR = Path('monkey_island', 'cc', 'userUploads')
|
||||||
|
|
||||||
|
|
||||||
|
@ -41,5 +41,5 @@ def set_config_PBA_files(config_json):
|
||||||
if monkey_island.cc.services.config.ConfigService.get_config():
|
if monkey_island.cc.services.config.ConfigService.get_config():
|
||||||
linux_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_LINUX_FILENAME_PATH)
|
linux_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_LINUX_FILENAME_PATH)
|
||||||
windows_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_WINDOWS_FILENAME_PATH)
|
windows_filename = monkey_island.cc.services.config.ConfigService.get_config_value(PBA_WINDOWS_FILENAME_PATH)
|
||||||
config_json['monkey']['behaviour']['PBA_linux_filename'] = linux_filename
|
config_json['monkey']['post_breach']['PBA_linux_filename'] = linux_filename
|
||||||
config_json['monkey']['behaviour']['PBA_windows_filename'] = windows_filename
|
config_json['monkey']['post_breach']['PBA_windows_filename'] = windows_filename
|
||||||
|
|
|
@ -24,7 +24,7 @@ export default function UiSchema(props) {
|
||||||
'ui:widget': AdvancedMultiSelect
|
'ui:widget': AdvancedMultiSelect
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
behaviour: {
|
post_breach: {
|
||||||
custom_PBA_linux_cmd: {
|
custom_PBA_linux_cmd: {
|
||||||
'ui:widget': 'textarea',
|
'ui:widget': 'textarea',
|
||||||
'ui:emptyValue': ''
|
'ui:emptyValue': ''
|
||||||
|
|
|
@ -334,8 +334,8 @@ class ConfigurePageComponent extends AuthComponent {
|
||||||
{this.renderBasicNetworkWarning()}
|
{this.renderBasicNetworkWarning()}
|
||||||
<Form schema={displayedSchema}
|
<Form schema={displayedSchema}
|
||||||
uiSchema={UiSchema({
|
uiSchema={UiSchema({
|
||||||
PBA_linux_filename: this.state.configuration.monkey.behaviour.PBA_linux_filename,
|
PBA_linux_filename: this.state.configuration.monkey.post_breach.PBA_linux_filename,
|
||||||
PBA_windows_filename: this.state.configuration.monkey.behaviour.PBA_windows_filename,
|
PBA_windows_filename: this.state.configuration.monkey.post_breach.PBA_windows_filename,
|
||||||
setPbaFilenameWindows: this.setPbaFilenameWindows,
|
setPbaFilenameWindows: this.setPbaFilenameWindows,
|
||||||
setPbaFilenameLinux: this.setPbaFilenameLinux,
|
setPbaFilenameLinux: this.setPbaFilenameLinux,
|
||||||
selectedSection: this.state.selectedSection
|
selectedSection: this.state.selectedSection
|
||||||
|
@ -351,7 +351,7 @@ class ConfigurePageComponent extends AuthComponent {
|
||||||
|
|
||||||
setPbaFilenameWindows = (filename) => {
|
setPbaFilenameWindows = (filename) => {
|
||||||
let config = this.state.configuration
|
let config = this.state.configuration
|
||||||
config.monkey.behaviour.PBA_windows_filename = filename
|
config.monkey.post_breach.PBA_windows_filename = filename
|
||||||
this.setState({
|
this.setState({
|
||||||
configuration: config
|
configuration: config
|
||||||
})
|
})
|
||||||
|
@ -359,7 +359,7 @@ class ConfigurePageComponent extends AuthComponent {
|
||||||
|
|
||||||
setPbaFilenameLinux = (filename) => {
|
setPbaFilenameLinux = (filename) => {
|
||||||
let config = this.state.configuration
|
let config = this.state.configuration
|
||||||
config.monkey.behaviour.PBA_linux_filename = filename
|
config.monkey.post_breach.PBA_linux_filename = filename
|
||||||
this.setState({
|
this.setState({
|
||||||
configuration: config
|
configuration: config
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in New Issue