forked from p15670423/monkey
Merge pull request #1433 from guardicore/1410/remove-backdoor-pba
Remove Backdoor user PBA
This commit is contained in:
commit
318e71bcb4
|
@ -1,122 +0,0 @@
|
|||
{
|
||||
"id": "tbxb2cGgUiJQ8Btma0fp",
|
||||
"name": "Add a simple Post Breach action",
|
||||
"task": {
|
||||
"dod": "You should add a new PBA to the Monkey which creates a new user on the machine.",
|
||||
"tests": [],
|
||||
"hints": [
|
||||
"See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands.",
|
||||
"Make sure to add the PBA to the configuration as well.",
|
||||
"MITRE ATT&CK technique T1136 articulates that adversaries may create an account to maintain access to victim systems, therefore, the BackdoorUser PBA is relevant to it. Make sure to map this PBA to the MITRE ATT&CK configuration and report."
|
||||
]
|
||||
},
|
||||
"content": [
|
||||
{
|
||||
"type": "text",
|
||||
"text": "Read [our documentation about adding a new PBA](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/).\n\nAfter that we want you to add the BackdoorUser PBA. The commands that add users for Win and Linux can be retrieved from `get_commands_to_add_user` - make sure you see how to use this function correctly. \n\nNote that the PBA should impact the T1136 MITRE technique as well! \n\n# Manual test to confirm\n\n1. Run the Monkey Island\n2. Make sure your new PBA is enabled by default in the config - for this test, disable network scanning, exploiting, and all other PBAs\n3. Run Monkey\n4. See the PBA in the security report\n5, See the PBA in the MITRE report in the relevant technique\n"
|
||||
},
|
||||
{
|
||||
"type": "snippet",
|
||||
"path": "monkey/common/common_consts/post_breach_consts.py",
|
||||
"comments": [],
|
||||
"firstLineNumber": 1,
|
||||
"lines": [
|
||||
" POST_BREACH_COMMUNICATE_AS_NEW_USER = \"Communicate as new user\"",
|
||||
"*POST_BREACH_BACKDOOR_USER = \"Backdoor user\"",
|
||||
"+# Swimmer: PUT THE NEW CONST HERE!",
|
||||
" POST_BREACH_FILE_EXECUTION = \"File execution\"",
|
||||
" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = \"Modify shell startup file\"",
|
||||
" POST_BREACH_HIDDEN_FILES = \"Hide files and directories\""
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "snippet",
|
||||
"path": "monkey/infection_monkey/post_breach/actions/add_user.py",
|
||||
"comments": [],
|
||||
"firstLineNumber": 1,
|
||||
"lines": [
|
||||
"*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
|
||||
"*from infection_monkey.config import WormConfiguration",
|
||||
"*from infection_monkey.post_breach.pba import PBA",
|
||||
"*from infection_monkey.utils.random_password_generator import get_random_password",
|
||||
"*from infection_monkey.utils.users import get_commands_to_add_user",
|
||||
"*",
|
||||
"*",
|
||||
"*class BackdoorUser(PBA):",
|
||||
"* def __init__(self):",
|
||||
"* random_password = get_random_password()",
|
||||
"*",
|
||||
"* linux_cmds, windows_cmds = get_commands_to_add_user(",
|
||||
"* WormConfiguration.user_to_add, random_password",
|
||||
"* )",
|
||||
"*",
|
||||
"* super(BackdoorUser, self).__init__(",
|
||||
"* POST_BREACH_BACKDOOR_USER, linux_cmd=\" \".join(linux_cmds), windows_cmd=windows_cmds",
|
||||
"* )"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "snippet",
|
||||
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
|
||||
"comments": [],
|
||||
"firstLineNumber": 1,
|
||||
"lines": [
|
||||
" from common.common_consts.post_breach_consts import (",
|
||||
"* POST_BREACH_BACKDOOR_USER,",
|
||||
" POST_BREACH_COMMUNICATE_AS_NEW_USER,",
|
||||
" )"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "snippet",
|
||||
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
|
||||
"comments": [],
|
||||
"firstLineNumber": 12,
|
||||
"lines": [
|
||||
" unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"",
|
||||
" scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"",
|
||||
" used_msg = \"Monkey created a new user on the network's systems.\"",
|
||||
"* pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]",
|
||||
"+ pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "snippet",
|
||||
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
|
||||
"comments": [],
|
||||
"firstLineNumber": 5,
|
||||
"lines": [
|
||||
" \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",",
|
||||
" \"type\": \"string\",",
|
||||
" \"anyOf\": [",
|
||||
"* {",
|
||||
"+ # Swimmer: Add new PBA here to config!",
|
||||
"* \"type\": \"string\",",
|
||||
"* \"enum\": [\"BackdoorUser\"],",
|
||||
"* \"title\": \"Back door user\",",
|
||||
"* \"safe\": True,",
|
||||
"* \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",",
|
||||
"* \"attack_techniques\": [\"T1136\"],",
|
||||
"* },",
|
||||
" {",
|
||||
" \"type\": \"string\",",
|
||||
" \"enum\": [\"CommunicateAsNewUser\"],"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "text",
|
||||
"text": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... "
|
||||
}
|
||||
],
|
||||
"symbols": {},
|
||||
"file_version": "2.0.1",
|
||||
"meta": {
|
||||
"app_version": "0.4.4-0",
|
||||
"file_blobs": {
|
||||
"monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3",
|
||||
"monkey/infection_monkey/post_breach/actions/add_user.py": "26b048a492fcb6d319fc0c01d2f4a0bd302ecbc8",
|
||||
"monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "dfc5945a362b88c1135f4476526c6c82977b02ee",
|
||||
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "086dc85693ae02ddfa106099245c0f155139805c"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -42,7 +42,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Select Logger configuration at runtime. #971
|
||||
- Select `mongo_key.bin` file location at runtime. #994
|
||||
- Store Monkey agents in the configurable data_dir when monkey is "run from the
|
||||
island". #997
|
||||
7
|
||||
- Reformat all code using black. #1070
|
||||
- Sort all imports using isort. #1081
|
||||
- Address all flake8 issues. #1071
|
||||
|
@ -70,10 +70,12 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Improve runtime of some unit tests. #1125
|
||||
- Run curl OR wget (not both) when attempting to communicate as a new user on
|
||||
Linux. #1407
|
||||
- Renamed "Communicate as new user" post-breach action to "Communicate as backdoor user". #1410
|
||||
|
||||
### Removed
|
||||
- Relevant dead code as reported by Vulture. #1149
|
||||
- Island logger config and --logger-config CLI option. #1151
|
||||
- "Back door user" post-breach action. #1410
|
||||
|
||||
### Fixed
|
||||
- Attempt to delete a directory when monkey config reset was called. #1054
|
||||
|
|
|
@ -39,9 +39,9 @@ class MyNewPba(PBA):
|
|||
|
||||
#### Implementation
|
||||
|
||||
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `add_user.py` PBA for reference.
|
||||
If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `account_discovery.py` PBA for reference.
|
||||
|
||||
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
|
||||
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_backdoor_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
|
||||
|
||||
### Modify the Monkey Island
|
||||
|
||||
|
@ -73,4 +73,4 @@ Now you can choose your PBA when configuring the Infection Monkey on the Monkey
|
|||
|
||||
#### Telemetry processing
|
||||
|
||||
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example.
|
||||
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_backdoor_user_telemetry` method as an example.
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user"
|
||||
POST_BREACH_BACKDOOR_USER = "Backdoor user"
|
||||
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER = "Communicate as backdoor user"
|
||||
POST_BREACH_FILE_EXECUTION = "File execution"
|
||||
POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file"
|
||||
POST_BREACH_HIDDEN_FILES = "Hide files and directories"
|
||||
|
|
|
@ -40,7 +40,7 @@ TEST_SCHEDULED_EXECUTION = "scheduled_execution"
|
|||
TEST_MALICIOUS_ACTIVITY_TIMELINE = "malicious_activity_timeline"
|
||||
TEST_SEGMENTATION = "segmentation"
|
||||
TEST_TUNNELING = "tunneling"
|
||||
TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user"
|
||||
TEST_COMMUNICATE_AS_BACKDOOR_USER = "communicate_as_backdoor_user"
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules"
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data"
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
|
||||
|
@ -58,7 +58,7 @@ TESTS = (
|
|||
TEST_DATA_ENDPOINT_HTTP,
|
||||
TEST_DATA_ENDPOINT_ELASTIC,
|
||||
TEST_TUNNELING,
|
||||
TEST_COMMUNICATE_AS_NEW_USER,
|
||||
TEST_COMMUNICATE_AS_BACKDOOR_USER,
|
||||
TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES,
|
||||
TEST_SCOUTSUITE_UNENCRYPTED_DATA,
|
||||
TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
|
||||
|
@ -206,7 +206,7 @@ TESTS_MAP = {
|
|||
PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED],
|
||||
},
|
||||
TEST_COMMUNICATE_AS_NEW_USER: {
|
||||
TEST_COMMUNICATE_AS_BACKDOOR_USER: {
|
||||
TEST_EXPLANATION_KEY: "The Monkey tried to create a new user and communicate "
|
||||
"with the internet from it.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER
|
||||
from infection_monkey.config import WormConfiguration
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.utils.random_password_generator import get_random_password
|
||||
from infection_monkey.utils.users import get_commands_to_add_user
|
||||
|
||||
|
||||
class BackdoorUser(PBA):
|
||||
def __init__(self):
|
||||
random_password = get_random_password()
|
||||
|
||||
linux_cmds, windows_cmds = get_commands_to_add_user(
|
||||
WormConfiguration.user_to_add, random_password
|
||||
)
|
||||
|
||||
super(BackdoorUser, self).__init__(
|
||||
POST_BREACH_BACKDOOR_USER, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds
|
||||
)
|
|
@ -4,7 +4,7 @@ import shutil
|
|||
import string
|
||||
import subprocess
|
||||
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
|
||||
from infection_monkey.utils.auto_new_user_factory import create_auto_new_user
|
||||
|
@ -26,7 +26,7 @@ USERNAME_PREFIX = "somenewuser"
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class CommunicateAsNewUser(PBA):
|
||||
class CommunicateAsBackdoorUser(PBA):
|
||||
"""
|
||||
This PBA creates a new user, and then creates HTTPS requests as that user. This is used for a
|
||||
Zero Trust test of the People pillar. See the relevant telemetry processing to see what findings
|
||||
|
@ -34,14 +34,16 @@ class CommunicateAsNewUser(PBA):
|
|||
"""
|
||||
|
||||
def __init__(self):
|
||||
super(CommunicateAsNewUser, self).__init__(name=POST_BREACH_COMMUNICATE_AS_NEW_USER)
|
||||
super(CommunicateAsBackdoorUser, self).__init__(
|
||||
name=POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
)
|
||||
|
||||
def run(self):
|
||||
username = CommunicateAsNewUser.get_random_new_user_name()
|
||||
username = CommunicateAsBackdoorUser.get_random_new_user_name()
|
||||
try:
|
||||
password = get_random_password()
|
||||
with create_auto_new_user(username, password) as new_user:
|
||||
http_request_commandline = CommunicateAsNewUser.get_commandline_for_http_request(
|
||||
http_request_commandline = CommunicateAsBackdoorUser.get_commandline_for_http_request(
|
||||
INFECTION_MONKEY_WEBSITE_URL
|
||||
)
|
||||
exit_status = new_user.run_as(http_request_commandline)
|
|
@ -1,8 +0,0 @@
|
|||
from infection_monkey.utils.linux.users import get_linux_commands_to_add_user
|
||||
from infection_monkey.utils.windows.users import get_windows_commands_to_add_user
|
||||
|
||||
|
||||
def get_commands_to_add_user(username, password):
|
||||
linux_cmds = get_linux_commands_to_add_user(username)
|
||||
windows_cmds = get_windows_commands_to_add_user(username, password)
|
||||
return linux_cmds, windows_cmds
|
|
@ -1,7 +1,4 @@
|
|||
from common.common_consts.post_breach_consts import (
|
||||
POST_BREACH_BACKDOOR_USER,
|
||||
POST_BREACH_COMMUNICATE_AS_NEW_USER,
|
||||
)
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique
|
||||
|
||||
|
||||
|
@ -10,4 +7,4 @@ class T1136(PostBreachTechnique):
|
|||
unscanned_msg = "Monkey didn't try creating a new user on the network's systems."
|
||||
scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
|
||||
used_msg = "Monkey created a new user on the network's systems."
|
||||
pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]
|
||||
pba_names = [POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER]
|
||||
|
|
|
@ -22,7 +22,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
|
|||
"""
|
||||
:param post_breach_action_names: Names of post-breach actions with which the technique is
|
||||
associated
|
||||
(example - `["Communicate as new user", "Backdoor user"]` for T1136)
|
||||
(example - `["Communicate as backdoor user"]` for T1136)
|
||||
:return: Mongo query that parses attack telemetries for a simple report component
|
||||
(gets machines and post-breach action usage).
|
||||
"""
|
||||
|
|
|
@ -7,16 +7,8 @@ POST_BREACH_ACTIONS = {
|
|||
"anyOf": [
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["BackdoorUser"],
|
||||
"title": "Back door user",
|
||||
"safe": True,
|
||||
"info": "Attempts to create a new user on the system and delete it afterwards.",
|
||||
"attack_techniques": ["T1136"],
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["CommunicateAsNewUser"],
|
||||
"title": "Communicate as new user",
|
||||
"enum": ["CommunicateAsBackdoorUser"],
|
||||
"title": "Communicate as backdoor user",
|
||||
"safe": True,
|
||||
"info": "Attempts to create a new user, create HTTPS requests as that "
|
||||
"user and delete the user "
|
||||
|
|
|
@ -67,8 +67,7 @@ MONKEY = {
|
|||
"uniqueItems": True,
|
||||
"items": {"$ref": "#/definitions/post_breach_actions"},
|
||||
"default": [
|
||||
"BackdoorUser",
|
||||
"CommunicateAsNewUser",
|
||||
"CommunicateAsBackdoorUser",
|
||||
"ModifyShellStartupFiles",
|
||||
"HiddenFiles",
|
||||
"TrapCommand",
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
import copy
|
||||
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
|
||||
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
|
||||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_new_user import (
|
||||
from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_backdoor_user import (
|
||||
check_new_user_communication,
|
||||
)
|
||||
|
||||
EXECUTION_WITHOUT_OUTPUT = "(PBA execution produced no output)"
|
||||
|
||||
|
||||
def process_communicate_as_new_user_telemetry(telemetry_json):
|
||||
def process_communicate_as_backdoor_user_telemetry(telemetry_json):
|
||||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json["monkey_guid"])
|
||||
message = telemetry_json["data"]["result"][0]
|
||||
success = telemetry_json["data"]["result"][1]
|
||||
|
@ -18,7 +18,7 @@ def process_communicate_as_new_user_telemetry(telemetry_json):
|
|||
|
||||
|
||||
POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
|
||||
POST_BREACH_COMMUNICATE_AS_NEW_USER: process_communicate_as_new_user_telemetry,
|
||||
POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER: process_communicate_as_backdoor_user_telemetry,
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_serv
|
|||
MonkeyZTFindingService,
|
||||
)
|
||||
|
||||
COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as new user. Details: {}"
|
||||
COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as backdoor user. Details: {}"
|
||||
COMM_AS_NEW_USER_SUCCEEDED_FORMAT = (
|
||||
"New user created by Monkey on {} successfully tried to "
|
||||
"communicate with the internet. Details: {}"
|
||||
|
@ -14,7 +14,7 @@ COMM_AS_NEW_USER_SUCCEEDED_FORMAT = (
|
|||
def check_new_user_communication(current_monkey, success, message):
|
||||
status = zero_trust_consts.STATUS_FAILED if success else zero_trust_consts.STATUS_PASSED
|
||||
MonkeyZTFindingService.create_or_add_to_existing(
|
||||
test=zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
|
||||
test=zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER,
|
||||
status=status,
|
||||
events=[
|
||||
get_attempt_event(current_monkey),
|
||||
|
@ -25,7 +25,7 @@ def check_new_user_communication(current_monkey, success, message):
|
|||
|
||||
def get_attempt_event(current_monkey):
|
||||
tried_to_communicate_event = Event.create_event(
|
||||
title="Communicate as new user",
|
||||
title="Communicate as backdoor user",
|
||||
message="Monkey on {} tried to create a new user and communicate from it.".format(
|
||||
current_monkey.hostname
|
||||
),
|
||||
|
@ -40,7 +40,7 @@ def get_result_event(current_monkey, message, success):
|
|||
)
|
||||
|
||||
return Event.create_event(
|
||||
title="Communicate as new user",
|
||||
title="Communicate as backdoor user",
|
||||
message=message_format.format(current_monkey.hostname, message),
|
||||
event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
|
||||
)
|
|
@ -175,8 +175,7 @@
|
|||
"PBA_windows_filename": "",
|
||||
"PBA_linux_filename": "",
|
||||
"post_breach_actions": [
|
||||
"BackdoorUser",
|
||||
"CommunicateAsNewUser",
|
||||
"CommunicateAsBackdoorUser",
|
||||
"ModifyShellStartupFiles",
|
||||
"HiddenFiles",
|
||||
"TrapCommand",
|
||||
|
|
|
@ -1,38 +1,39 @@
|
|||
from infection_monkey.post_breach.actions.communicate_as_new_user import (
|
||||
from infection_monkey.post_breach.actions.communicate_as_backdoor_user import (
|
||||
USERNAME_PREFIX,
|
||||
CommunicateAsNewUser,
|
||||
CommunicateAsBackdoorUser,
|
||||
)
|
||||
|
||||
URL = "this-is-where-i-wanna-go"
|
||||
|
||||
|
||||
def test_get_random_new_user_name():
|
||||
username = CommunicateAsNewUser.get_random_new_user_name()
|
||||
username = CommunicateAsBackdoorUser.get_random_new_user_name()
|
||||
assert len(username) == len(USERNAME_PREFIX) + 5
|
||||
assert username.islower()
|
||||
assert username.startswith(USERNAME_PREFIX)
|
||||
|
||||
|
||||
def test_get_commandline_for_http_request_windows():
|
||||
cmd_line = CommunicateAsNewUser.get_commandline_for_http_request(URL, is_windows=True)
|
||||
cmd_line = CommunicateAsBackdoorUser.get_commandline_for_http_request(URL, is_windows=True)
|
||||
assert "powershell.exe" in cmd_line
|
||||
assert URL in cmd_line
|
||||
|
||||
|
||||
def test_get_commandline_for_http_request_linux_curl(monkeypatch):
|
||||
monkeypatch.setattr(
|
||||
"infection_monkey.post_breach.actions.communicate_as_new_user.shutil.which",
|
||||
"infection_monkey.post_breach.actions.communicate_as_backdoor_user.shutil.which",
|
||||
lambda _: "not None",
|
||||
)
|
||||
cmd_line = CommunicateAsNewUser.get_commandline_for_http_request(URL, is_windows=False)
|
||||
cmd_line = CommunicateAsBackdoorUser.get_commandline_for_http_request(URL, is_windows=False)
|
||||
assert "curl" in cmd_line
|
||||
assert URL in cmd_line
|
||||
|
||||
|
||||
def test_get_commandline_for_http_request_linux_wget(monkeypatch):
|
||||
monkeypatch.setattr(
|
||||
"infection_monkey.post_breach.actions.communicate_as_new_user.shutil.which", lambda _: None
|
||||
"infection_monkey.post_breach.actions.communicate_as_backdoor_user.shutil.which",
|
||||
lambda _: None,
|
||||
)
|
||||
cmd_line = CommunicateAsNewUser.get_commandline_for_http_request(URL, is_windows=False)
|
||||
cmd_line = CommunicateAsBackdoorUser.get_commandline_for_http_request(URL, is_windows=False)
|
||||
assert "wget" in cmd_line
|
||||
assert URL in cmd_line
|
||||
|
|
|
@ -18,8 +18,8 @@ EVENTS = [
|
|||
timestamp=datetime.strptime("2021-01-19 12:07:17.802138", "%Y-%m-%d %H:%M:%S.%f"),
|
||||
),
|
||||
Event.create_event(
|
||||
title="Communicate as new user",
|
||||
message="Monkey on gc-pc-244 couldn't communicate as new user. "
|
||||
title="Communicate as backdoor user",
|
||||
message="Monkey on gc-pc-244 couldn't communicate as backdoor user. "
|
||||
"Details: System error 5 has occurred. Access is denied.",
|
||||
event_type="monkey_network",
|
||||
timestamp=datetime.strptime("2021-01-19 12:22:42.246020", "%Y-%m-%d %H:%M:%S.%f"),
|
||||
|
@ -28,7 +28,7 @@ EVENTS = [
|
|||
|
||||
TESTS = [
|
||||
zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
|
||||
zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
|
||||
zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER,
|
||||
]
|
||||
|
||||
STATUS = [
|
||||
|
|
Loading…
Reference in New Issue