p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1902 from guardicore/1860-fake-users-mimikatz 

Fix fake user addition to the config because of Mimikatz
This commit is contained in:
Mike Salvatore 2022-04-20 11:26:08 -04:00 committed by GitHub
parent e91087f9fe a335f30c68
commit 526448cec9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -78,6 +78,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
- A bug where T1216_random_executable.exe was copied to disk even if the signed - A bug where T1216_random_executable.exe was copied to disk even if the signed
script proxy execution PBA was disabled. #1864 script proxy execution PBA was disabled. #1864
- Unnecessary collection of kerberos credentials. #1771 - Unnecessary collection of kerberos credentials. #1771
- A bug where bogus users were collected by Mimikatz and added to the config. #1860
### Security ### Security

8
monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py
View File

@ -1,6 +1,8 @@
import logging import logging
from typing import Sequence from typing import Sequence
from model import USERNAME_PREFIX
from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username from infection_monkey.credential_collectors import LMHash, NTHash, Password, Username
from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector from infection_monkey.i_puppet.credential_collection import Credentials, ICredentialCollector
@ -23,7 +25,11 @@ class MimikatzCredentialCollector(ICredentialCollector):
for win_cred in win_creds: for win_cred in win_creds:
identities = [] identities = []
secrets = [] secrets = []
if win_cred.username:
# Mimikatz picks up users created by the Monkey even if they're successfully deleted
# since it picks up creds from the registry. The newly created users are not removed
# from the registry until a reboot of the system, hence this check.
if win_cred.username and not win_cred.username.startswith(USERNAME_PREFIX):
identity = Username(win_cred.username) identity = Username(win_cred.username)
identities.append(identity) identities.append(identity)

3
monkey/infection_monkey/model/__init__.py
View File

@ -5,6 +5,9 @@ MONKEY_ARG = "m0nk3y"
DROPPER_ARG = "dr0pp3r" DROPPER_ARG = "dr0pp3r"
ID_STRING = "M0NK3Y3XPL0ITABLE" ID_STRING = "M0NK3Y3XPL0ITABLE"
# Username prefix for users created by Infection Monkey
USERNAME_PREFIX = "somenewuser"
# CMD prefix for windows commands # CMD prefix for windows commands
CMD_EXE = "cmd.exe" CMD_EXE = "cmd.exe"
CMD_CARRY_OUT = "/c" CMD_CARRY_OUT = "/c"

4
monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py
View File

@ -5,6 +5,8 @@ import string
import subprocess import subprocess
from typing import Dict from typing import Dict
from model import USERNAME_PREFIX
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.i_puppet.i_puppet import PostBreachData
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
@ -23,8 +25,6 @@ CREATED_PROCESS_AS_USER_FAILED_FORMAT = (
"Created process '{}' as user '{}', but the process failed (exit status {}:{})." "Created process '{}' as user '{}', but the process failed (exit status {}:{})."
) )
USERNAME_PREFIX = "somenewuser"
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)