UI: Add custom PBAs and PBAs to the json schema

Remove data-url from the custom-pbas
Fix small things the the credential collectors
This commit is contained in:
Ilija Lazoroski 2022-07-01 14:36:58 +02:00
parent 67aa7d95a3
commit 5a367181f9
4 changed files with 131 additions and 43 deletions

View File

@ -3,6 +3,7 @@ import {pluginConfigurationSchema} from './definitions/plugins.js';
import {propagationConfigurationSchema} from './definitions/propagation.js';
import {bruteForceExploiters, vulnerabilityExploiters} from './definitions/exploiter_classes.js';
import {credentialCollectors} from './definitions/credential_collectors.js';
import {postBreachActions} from './definitions/post_breach_actions.js';
export const SCHEMA = {
'title': 'Monkey',
@ -10,26 +11,20 @@ export const SCHEMA = {
'definitions': {
'brute_force_classes': bruteForceExploiters,
'vulnerability_classes': vulnerabilityExploiters,
'credential_collectors_classes': credentialCollectors
'credential_collectors_classes': credentialCollectors,
'post_breach_actions': postBreachActions
},
'properties': {
'propagation': propagationConfigurationSchema,
'post_breach_actions': {
'title': 'Post-breach actions',
'type': 'object',
'properties': {
'pba_list': {
'title': 'PBAs',
'type': 'array',
'items': pluginConfigurationSchema,
'default': [
{'name': 'CommunicateAsBackdoorUser','safe': true, 'options': {}},
{'name': 'ModifyShellStartupFiles', 'safe': true, 'options': {}}
]
},
'custom_pbas': customPBAConfigurationSchema
'uniqueItems': true,
'items': {
'$ref': '#/definitions/post_breach_actions'
}
},
'custom_pbas': customPBAConfigurationSchema,
'payloads': {
'title': 'Payloads',
'type': 'array',
@ -39,9 +34,6 @@ export const SCHEMA = {
]
},
'credential_collectors': {
'title': 'Credential collectors',
'properties': {
'collectors': {
'title': 'Credential collectors',
'type': 'array',
'uniqueItems': true,
@ -52,8 +44,6 @@ export const SCHEMA = {
'MimikatzCollector',
'SSHCollector'
]
}
}
},
'advanced': {
'title': 'Advanced',

View File

@ -1,6 +1,5 @@
export const customPBAConfigurationSchema = {
'title': 'Custom post-breach action',
'type': 'object',
'title': 'Custom PBA',
'properties': {
'linux_command': {
'title': 'Linux post-breach command',
@ -14,7 +13,6 @@ export const customPBAConfigurationSchema = {
'linux_filename': {
'title': 'Linux post-breach file',
'type': 'string',
'format': 'data-url',
'description': 'File to be uploaded after braeaching. ' +
'Use the "Linux post-breach command" field to ' +
'change permissions, run, or delete the file. ' +
@ -32,7 +30,6 @@ export const customPBAConfigurationSchema = {
'windows_filename':{
'title': 'Windows post-breach file',
'type': 'string',
'format': 'data-url',
'description': 'File to be uploaded after breaching. ' +
'Use the "Windows post-breach command" filed to ' +
'change permissions, run or delete the file. ' +

View File

@ -11,13 +11,7 @@ export const exploitationConfigurationSchema = {
'uniqueItems': true,
'items': {
'$ref': '#/definitions/brute_force_classes'
},
'default': [
'SmbExploiter',
'WmiExploiter',
'SSHExploiter',
'MSSQLExploiter'
]
}
},
'vulnerability': {
'title': 'Vulnerability Exploiters',
@ -25,11 +19,7 @@ export const exploitationConfigurationSchema = {
'uniqueItems': true,
'items': {
'$ref': '#/definitions/vulnerability_classes'
},
'default': [
'Log4ShellExploiter',
'HadoopExploiter'
]
}
},
'options': exploitationOptionsConfigurationSchema
}

View File

@ -0,0 +1,111 @@
export const postBreachActions = {
'title': 'Post-Breach Actions',
'description': 'Runs scripts/commands on infected machines. These actions safely simulate what ' +
'an adversary might do after breaching a new machine. Used in ATT&CK and Zero trust reports.',
'type': 'string',
'pluginDefs': {
'CommunicateAsBackdoorUser':{'name': 'CommunicateAsBackdoorUser', 'options':{}},
'ModifyShellStartupFiles':{'name': 'ModifyShellStartupFiles', 'options':{}},
'HiddenFiles':{'name': 'HiddenFiles', 'options':{}},
'TrapCommand':{'name': 'TrapCommand', 'options':{}},
'ChangeSetuidSetgid':{'name': 'ChangeSetuidSetgid', 'options':{}},
'ScheduleJobs':{'name': 'ScheduleJobs', 'options':{}},
'Timestomping':{'name': 'Timestomping', 'options':{}},
'SignedScriptProxyExecution':{'name': 'SignedScriptProxyExecution', 'options':{}},
'AccountDiscovery':{'name': 'AccountDiscovery', 'options':{}},
'ClearCommandHistory':{'name': 'ClearCommandHistory', 'options':{}},
'ProcessListCollection':{'name': 'ProcessListCollection', 'options':{}}
},
'anyOf': [
{
'type': 'string',
'enum': ['CommunicateAsBackdoorUser'],
'title': 'Communicate as Backdoor User',
'safe': true,
'info': 'Attempts to create a new user, create HTTPS requests as that ' +
'user and delete the user ' +
'afterwards.'
},
{
'type': 'string',
'enum': ['ModifyShellStartupFiles'],
'title': 'Modify Shell Startup Files',
'safe': true,
'info': 'Attempts to modify shell startup files, like ~/.profile, ' +
'~/.bashrc, ~/.bash_profile ' +
'in linux, and profile.ps1 in windows. Reverts modifications done' +
' afterwards.'
},
{
'type': 'string',
'enum': ['HiddenFiles'],
'title': 'Hidden Files and Directories',
'safe': true,
'info': 'Attempts to create a hidden file and remove it afterward.'
},
{
'type': 'string',
'enum': ['TrapCommand'],
'title': 'Trap Command',
'safe': true,
'info': 'On Linux systems, attempts to trap a terminate signal in order ' +
'to execute a command upon receiving that signal. Removes the trap afterwards.'
},
{
'type': 'string',
'enum': ['ChangeSetuidSetgid'],
'title': 'Setuid and Setgid',
'safe': true,
'info': 'On Linux systems, attempts to set the setuid and setgid bits of ' +
'a new file. ' +
'Removes the file afterwards.',
'attack_techniques': ['T1166']
},
{
'type': 'string',
'enum': ['ScheduleJobs'],
'title': 'Job Scheduling',
'safe': true,
'info': 'Attempts to create a scheduled job on the system and remove it.'
},
{
'type': 'string',
'enum': ['Timestomping'],
'title': 'Timestomping',
'safe': true,
'info': 'Creates a temporary file and attempts to modify its time ' +
'attributes. Removes the file afterwards.'
},
{
'type': 'string',
'enum': ['SignedScriptProxyExecution'],
'title': 'Signed Script Proxy Execution',
'safe': false,
'info': 'On Windows systems, attempts to execute an arbitrary file ' +
'with the help of a pre-existing signed script.'
},
{
'type': 'string',
'enum': ['AccountDiscovery'],
'title': 'Account Discovery',
'safe': true,
'info': 'Attempts to get a listing of user accounts on the system.'
},
{
'type': 'string',
'enum': ['ClearCommandHistory'],
'title': 'Clear Command History',
'safe': false,
'info': 'Attempts to clear the command history.'
},
{
'type': 'string',
'enum': ['ProcessListCollection'],
'title': 'Process List Collector',
'safe': true,
'info': 'Collects a list of running processes on the machine.'
}
]
}