forked from p15670423/monkey
UI: Add custom PBAs and PBAs to the json schema
Remove data-url from the custom-pbas Fix small things the the credential collectors
This commit is contained in:
parent
67aa7d95a3
commit
5a367181f9
|
@ -3,6 +3,7 @@ import {pluginConfigurationSchema} from './definitions/plugins.js';
|
||||||
import {propagationConfigurationSchema} from './definitions/propagation.js';
|
import {propagationConfigurationSchema} from './definitions/propagation.js';
|
||||||
import {bruteForceExploiters, vulnerabilityExploiters} from './definitions/exploiter_classes.js';
|
import {bruteForceExploiters, vulnerabilityExploiters} from './definitions/exploiter_classes.js';
|
||||||
import {credentialCollectors} from './definitions/credential_collectors.js';
|
import {credentialCollectors} from './definitions/credential_collectors.js';
|
||||||
|
import {postBreachActions} from './definitions/post_breach_actions.js';
|
||||||
|
|
||||||
export const SCHEMA = {
|
export const SCHEMA = {
|
||||||
'title': 'Monkey',
|
'title': 'Monkey',
|
||||||
|
@ -10,26 +11,20 @@ export const SCHEMA = {
|
||||||
'definitions': {
|
'definitions': {
|
||||||
'brute_force_classes': bruteForceExploiters,
|
'brute_force_classes': bruteForceExploiters,
|
||||||
'vulnerability_classes': vulnerabilityExploiters,
|
'vulnerability_classes': vulnerabilityExploiters,
|
||||||
'credential_collectors_classes': credentialCollectors
|
'credential_collectors_classes': credentialCollectors,
|
||||||
|
'post_breach_actions': postBreachActions
|
||||||
},
|
},
|
||||||
'properties': {
|
'properties': {
|
||||||
'propagation': propagationConfigurationSchema,
|
'propagation': propagationConfigurationSchema,
|
||||||
'post_breach_actions': {
|
'post_breach_actions': {
|
||||||
'title': 'Post-breach actions',
|
'title': 'Post-breach actions',
|
||||||
'type': 'object',
|
'type': 'array',
|
||||||
'properties': {
|
'uniqueItems': true,
|
||||||
'pba_list': {
|
'items': {
|
||||||
'title': 'PBAs',
|
'$ref': '#/definitions/post_breach_actions'
|
||||||
'type': 'array',
|
|
||||||
'items': pluginConfigurationSchema,
|
|
||||||
'default': [
|
|
||||||
{'name': 'CommunicateAsBackdoorUser','safe': true, 'options': {}},
|
|
||||||
{'name': 'ModifyShellStartupFiles', 'safe': true, 'options': {}}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
'custom_pbas': customPBAConfigurationSchema
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
'custom_pbas': customPBAConfigurationSchema,
|
||||||
'payloads': {
|
'payloads': {
|
||||||
'title': 'Payloads',
|
'title': 'Payloads',
|
||||||
'type': 'array',
|
'type': 'array',
|
||||||
|
@ -40,20 +35,15 @@ export const SCHEMA = {
|
||||||
},
|
},
|
||||||
'credential_collectors': {
|
'credential_collectors': {
|
||||||
'title': 'Credential collectors',
|
'title': 'Credential collectors',
|
||||||
'properties': {
|
'type': 'array',
|
||||||
'collectors': {
|
'uniqueItems': true,
|
||||||
'title': 'Credential collectors',
|
'items': {
|
||||||
'type': 'array',
|
'$ref': '#/definitions/credential_collectors_classes'
|
||||||
'uniqueItems': true,
|
},
|
||||||
'items': {
|
'default': [
|
||||||
'$ref': '#/definitions/credential_collectors_classes'
|
'MimikatzCollector',
|
||||||
},
|
'SSHCollector'
|
||||||
'default': [
|
]
|
||||||
'MimikatzCollector',
|
|
||||||
'SSHCollector'
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
},
|
||||||
'advanced': {
|
'advanced': {
|
||||||
'title': 'Advanced',
|
'title': 'Advanced',
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
export const customPBAConfigurationSchema = {
|
export const customPBAConfigurationSchema = {
|
||||||
'title': 'Custom post-breach action',
|
'title': 'Custom PBA',
|
||||||
'type': 'object',
|
|
||||||
'properties': {
|
'properties': {
|
||||||
'linux_command': {
|
'linux_command': {
|
||||||
'title': 'Linux post-breach command',
|
'title': 'Linux post-breach command',
|
||||||
|
@ -14,7 +13,6 @@ export const customPBAConfigurationSchema = {
|
||||||
'linux_filename': {
|
'linux_filename': {
|
||||||
'title': 'Linux post-breach file',
|
'title': 'Linux post-breach file',
|
||||||
'type': 'string',
|
'type': 'string',
|
||||||
'format': 'data-url',
|
|
||||||
'description': 'File to be uploaded after braeaching. ' +
|
'description': 'File to be uploaded after braeaching. ' +
|
||||||
'Use the "Linux post-breach command" field to ' +
|
'Use the "Linux post-breach command" field to ' +
|
||||||
'change permissions, run, or delete the file. ' +
|
'change permissions, run, or delete the file. ' +
|
||||||
|
@ -32,7 +30,6 @@ export const customPBAConfigurationSchema = {
|
||||||
'windows_filename':{
|
'windows_filename':{
|
||||||
'title': 'Windows post-breach file',
|
'title': 'Windows post-breach file',
|
||||||
'type': 'string',
|
'type': 'string',
|
||||||
'format': 'data-url',
|
|
||||||
'description': 'File to be uploaded after breaching. ' +
|
'description': 'File to be uploaded after breaching. ' +
|
||||||
'Use the "Windows post-breach command" filed to ' +
|
'Use the "Windows post-breach command" filed to ' +
|
||||||
'change permissions, run or delete the file. ' +
|
'change permissions, run or delete the file. ' +
|
||||||
|
|
|
@ -11,13 +11,7 @@ export const exploitationConfigurationSchema = {
|
||||||
'uniqueItems': true,
|
'uniqueItems': true,
|
||||||
'items': {
|
'items': {
|
||||||
'$ref': '#/definitions/brute_force_classes'
|
'$ref': '#/definitions/brute_force_classes'
|
||||||
},
|
}
|
||||||
'default': [
|
|
||||||
'SmbExploiter',
|
|
||||||
'WmiExploiter',
|
|
||||||
'SSHExploiter',
|
|
||||||
'MSSQLExploiter'
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
'vulnerability': {
|
'vulnerability': {
|
||||||
'title': 'Vulnerability Exploiters',
|
'title': 'Vulnerability Exploiters',
|
||||||
|
@ -25,11 +19,7 @@ export const exploitationConfigurationSchema = {
|
||||||
'uniqueItems': true,
|
'uniqueItems': true,
|
||||||
'items': {
|
'items': {
|
||||||
'$ref': '#/definitions/vulnerability_classes'
|
'$ref': '#/definitions/vulnerability_classes'
|
||||||
},
|
}
|
||||||
'default': [
|
|
||||||
'Log4ShellExploiter',
|
|
||||||
'HadoopExploiter'
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
'options': exploitationOptionsConfigurationSchema
|
'options': exploitationOptionsConfigurationSchema
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,111 @@
|
||||||
|
export const postBreachActions = {
|
||||||
|
'title': 'Post-Breach Actions',
|
||||||
|
'description': 'Runs scripts/commands on infected machines. These actions safely simulate what ' +
|
||||||
|
'an adversary might do after breaching a new machine. Used in ATT&CK and Zero trust reports.',
|
||||||
|
'type': 'string',
|
||||||
|
'pluginDefs': {
|
||||||
|
'CommunicateAsBackdoorUser':{'name': 'CommunicateAsBackdoorUser', 'options':{}},
|
||||||
|
'ModifyShellStartupFiles':{'name': 'ModifyShellStartupFiles', 'options':{}},
|
||||||
|
'HiddenFiles':{'name': 'HiddenFiles', 'options':{}},
|
||||||
|
'TrapCommand':{'name': 'TrapCommand', 'options':{}},
|
||||||
|
'ChangeSetuidSetgid':{'name': 'ChangeSetuidSetgid', 'options':{}},
|
||||||
|
'ScheduleJobs':{'name': 'ScheduleJobs', 'options':{}},
|
||||||
|
'Timestomping':{'name': 'Timestomping', 'options':{}},
|
||||||
|
'SignedScriptProxyExecution':{'name': 'SignedScriptProxyExecution', 'options':{}},
|
||||||
|
'AccountDiscovery':{'name': 'AccountDiscovery', 'options':{}},
|
||||||
|
'ClearCommandHistory':{'name': 'ClearCommandHistory', 'options':{}},
|
||||||
|
'ProcessListCollection':{'name': 'ProcessListCollection', 'options':{}}
|
||||||
|
},
|
||||||
|
'anyOf': [
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['CommunicateAsBackdoorUser'],
|
||||||
|
'title': 'Communicate as Backdoor User',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Attempts to create a new user, create HTTPS requests as that ' +
|
||||||
|
'user and delete the user ' +
|
||||||
|
'afterwards.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['ModifyShellStartupFiles'],
|
||||||
|
'title': 'Modify Shell Startup Files',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Attempts to modify shell startup files, like ~/.profile, ' +
|
||||||
|
'~/.bashrc, ~/.bash_profile ' +
|
||||||
|
'in linux, and profile.ps1 in windows. Reverts modifications done' +
|
||||||
|
' afterwards.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['HiddenFiles'],
|
||||||
|
'title': 'Hidden Files and Directories',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Attempts to create a hidden file and remove it afterward.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['TrapCommand'],
|
||||||
|
'title': 'Trap Command',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'On Linux systems, attempts to trap a terminate signal in order ' +
|
||||||
|
'to execute a command upon receiving that signal. Removes the trap afterwards.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['ChangeSetuidSetgid'],
|
||||||
|
'title': 'Setuid and Setgid',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'On Linux systems, attempts to set the setuid and setgid bits of ' +
|
||||||
|
'a new file. ' +
|
||||||
|
'Removes the file afterwards.',
|
||||||
|
'attack_techniques': ['T1166']
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['ScheduleJobs'],
|
||||||
|
'title': 'Job Scheduling',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Attempts to create a scheduled job on the system and remove it.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['Timestomping'],
|
||||||
|
'title': 'Timestomping',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Creates a temporary file and attempts to modify its time ' +
|
||||||
|
'attributes. Removes the file afterwards.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['SignedScriptProxyExecution'],
|
||||||
|
'title': 'Signed Script Proxy Execution',
|
||||||
|
'safe': false,
|
||||||
|
'info': 'On Windows systems, attempts to execute an arbitrary file ' +
|
||||||
|
'with the help of a pre-existing signed script.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['AccountDiscovery'],
|
||||||
|
'title': 'Account Discovery',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Attempts to get a listing of user accounts on the system.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['ClearCommandHistory'],
|
||||||
|
'title': 'Clear Command History',
|
||||||
|
'safe': false,
|
||||||
|
'info': 'Attempts to clear the command history.'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'type': 'string',
|
||||||
|
'enum': ['ProcessListCollection'],
|
||||||
|
'title': 'Process List Collector',
|
||||||
|
'safe': true,
|
||||||
|
'info': 'Collects a list of running processes on the machine.'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue