From 3561573a6b07bd1b292fd5f248167f0f228a7db1 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Wed, 20 Apr 2022 18:18:23 +0530
Subject: [PATCH] Agent: Check username of Mimikatz gathered creds

before adding to the config since we don't want to add users created by the Monkey
---
 .../mimikatz_collector/mimikatz_credential_collector.py    | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py
index 1b772580d..7ce9b7581 100644
--- a/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py
+++ b/monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py
@@ -1,6 +1,7 @@
 import logging
 from typing import Sequence
 
+from infection_monkey.consts import USERNAME_PREFIX
 from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username
 from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector
 
@@ -23,7 +24,11 @@ class MimikatzCredentialCollector(ICredentialCollector):
         for win_cred in win_creds:
             identities = []
             secrets = []
-            if win_cred.username:
+
+            # Mimikatz picks up users created by the Monkey even if they're successfully deleted
+            # since it picks up creds from the registry. The newly created users are not removed
+            # from the registry until a reboot of the system, hence this check.
+            if win_cred.username and not win_cred.username.startswith(USERNAME_PREFIX):
                 identity = Username(win_cred.username)
                 identities.append(identity)