forked from p15670423/monkey
UI: Add custom PBAs and PBAs to the json schema
Remove data-url from the custom-pbas Fix small things the the credential collectors
This commit is contained in:
parent
67aa7d95a3
commit
5a367181f9
|
@ -3,6 +3,7 @@ import {pluginConfigurationSchema} from './definitions/plugins.js';
|
|||
import {propagationConfigurationSchema} from './definitions/propagation.js';
|
||||
import {bruteForceExploiters, vulnerabilityExploiters} from './definitions/exploiter_classes.js';
|
||||
import {credentialCollectors} from './definitions/credential_collectors.js';
|
||||
import {postBreachActions} from './definitions/post_breach_actions.js';
|
||||
|
||||
export const SCHEMA = {
|
||||
'title': 'Monkey',
|
||||
|
@ -10,26 +11,20 @@ export const SCHEMA = {
|
|||
'definitions': {
|
||||
'brute_force_classes': bruteForceExploiters,
|
||||
'vulnerability_classes': vulnerabilityExploiters,
|
||||
'credential_collectors_classes': credentialCollectors
|
||||
'credential_collectors_classes': credentialCollectors,
|
||||
'post_breach_actions': postBreachActions
|
||||
},
|
||||
'properties': {
|
||||
'propagation': propagationConfigurationSchema,
|
||||
'post_breach_actions': {
|
||||
'title': 'Post-breach actions',
|
||||
'type': 'object',
|
||||
'properties': {
|
||||
'pba_list': {
|
||||
'title': 'PBAs',
|
||||
'type': 'array',
|
||||
'items': pluginConfigurationSchema,
|
||||
'default': [
|
||||
{'name': 'CommunicateAsBackdoorUser','safe': true, 'options': {}},
|
||||
{'name': 'ModifyShellStartupFiles', 'safe': true, 'options': {}}
|
||||
]
|
||||
},
|
||||
'custom_pbas': customPBAConfigurationSchema
|
||||
'type': 'array',
|
||||
'uniqueItems': true,
|
||||
'items': {
|
||||
'$ref': '#/definitions/post_breach_actions'
|
||||
}
|
||||
},
|
||||
'custom_pbas': customPBAConfigurationSchema,
|
||||
'payloads': {
|
||||
'title': 'Payloads',
|
||||
'type': 'array',
|
||||
|
@ -40,20 +35,15 @@ export const SCHEMA = {
|
|||
},
|
||||
'credential_collectors': {
|
||||
'title': 'Credential collectors',
|
||||
'properties': {
|
||||
'collectors': {
|
||||
'title': 'Credential collectors',
|
||||
'type': 'array',
|
||||
'uniqueItems': true,
|
||||
'items': {
|
||||
'$ref': '#/definitions/credential_collectors_classes'
|
||||
},
|
||||
'default': [
|
||||
'MimikatzCollector',
|
||||
'SSHCollector'
|
||||
]
|
||||
}
|
||||
}
|
||||
'type': 'array',
|
||||
'uniqueItems': true,
|
||||
'items': {
|
||||
'$ref': '#/definitions/credential_collectors_classes'
|
||||
},
|
||||
'default': [
|
||||
'MimikatzCollector',
|
||||
'SSHCollector'
|
||||
]
|
||||
},
|
||||
'advanced': {
|
||||
'title': 'Advanced',
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
export const customPBAConfigurationSchema = {
|
||||
'title': 'Custom post-breach action',
|
||||
'type': 'object',
|
||||
'title': 'Custom PBA',
|
||||
'properties': {
|
||||
'linux_command': {
|
||||
'title': 'Linux post-breach command',
|
||||
|
@ -14,7 +13,6 @@ export const customPBAConfigurationSchema = {
|
|||
'linux_filename': {
|
||||
'title': 'Linux post-breach file',
|
||||
'type': 'string',
|
||||
'format': 'data-url',
|
||||
'description': 'File to be uploaded after braeaching. ' +
|
||||
'Use the "Linux post-breach command" field to ' +
|
||||
'change permissions, run, or delete the file. ' +
|
||||
|
@ -32,7 +30,6 @@ export const customPBAConfigurationSchema = {
|
|||
'windows_filename':{
|
||||
'title': 'Windows post-breach file',
|
||||
'type': 'string',
|
||||
'format': 'data-url',
|
||||
'description': 'File to be uploaded after breaching. ' +
|
||||
'Use the "Windows post-breach command" filed to ' +
|
||||
'change permissions, run or delete the file. ' +
|
||||
|
|
|
@ -11,13 +11,7 @@ export const exploitationConfigurationSchema = {
|
|||
'uniqueItems': true,
|
||||
'items': {
|
||||
'$ref': '#/definitions/brute_force_classes'
|
||||
},
|
||||
'default': [
|
||||
'SmbExploiter',
|
||||
'WmiExploiter',
|
||||
'SSHExploiter',
|
||||
'MSSQLExploiter'
|
||||
]
|
||||
}
|
||||
},
|
||||
'vulnerability': {
|
||||
'title': 'Vulnerability Exploiters',
|
||||
|
@ -25,11 +19,7 @@ export const exploitationConfigurationSchema = {
|
|||
'uniqueItems': true,
|
||||
'items': {
|
||||
'$ref': '#/definitions/vulnerability_classes'
|
||||
},
|
||||
'default': [
|
||||
'Log4ShellExploiter',
|
||||
'HadoopExploiter'
|
||||
]
|
||||
}
|
||||
},
|
||||
'options': exploitationOptionsConfigurationSchema
|
||||
}
|
||||
|
|
|
@ -0,0 +1,111 @@
|
|||
export const postBreachActions = {
|
||||
'title': 'Post-Breach Actions',
|
||||
'description': 'Runs scripts/commands on infected machines. These actions safely simulate what ' +
|
||||
'an adversary might do after breaching a new machine. Used in ATT&CK and Zero trust reports.',
|
||||
'type': 'string',
|
||||
'pluginDefs': {
|
||||
'CommunicateAsBackdoorUser':{'name': 'CommunicateAsBackdoorUser', 'options':{}},
|
||||
'ModifyShellStartupFiles':{'name': 'ModifyShellStartupFiles', 'options':{}},
|
||||
'HiddenFiles':{'name': 'HiddenFiles', 'options':{}},
|
||||
'TrapCommand':{'name': 'TrapCommand', 'options':{}},
|
||||
'ChangeSetuidSetgid':{'name': 'ChangeSetuidSetgid', 'options':{}},
|
||||
'ScheduleJobs':{'name': 'ScheduleJobs', 'options':{}},
|
||||
'Timestomping':{'name': 'Timestomping', 'options':{}},
|
||||
'SignedScriptProxyExecution':{'name': 'SignedScriptProxyExecution', 'options':{}},
|
||||
'AccountDiscovery':{'name': 'AccountDiscovery', 'options':{}},
|
||||
'ClearCommandHistory':{'name': 'ClearCommandHistory', 'options':{}},
|
||||
'ProcessListCollection':{'name': 'ProcessListCollection', 'options':{}}
|
||||
},
|
||||
'anyOf': [
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['CommunicateAsBackdoorUser'],
|
||||
'title': 'Communicate as Backdoor User',
|
||||
'safe': true,
|
||||
'info': 'Attempts to create a new user, create HTTPS requests as that ' +
|
||||
'user and delete the user ' +
|
||||
'afterwards.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['ModifyShellStartupFiles'],
|
||||
'title': 'Modify Shell Startup Files',
|
||||
'safe': true,
|
||||
'info': 'Attempts to modify shell startup files, like ~/.profile, ' +
|
||||
'~/.bashrc, ~/.bash_profile ' +
|
||||
'in linux, and profile.ps1 in windows. Reverts modifications done' +
|
||||
' afterwards.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['HiddenFiles'],
|
||||
'title': 'Hidden Files and Directories',
|
||||
'safe': true,
|
||||
'info': 'Attempts to create a hidden file and remove it afterward.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['TrapCommand'],
|
||||
'title': 'Trap Command',
|
||||
'safe': true,
|
||||
'info': 'On Linux systems, attempts to trap a terminate signal in order ' +
|
||||
'to execute a command upon receiving that signal. Removes the trap afterwards.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['ChangeSetuidSetgid'],
|
||||
'title': 'Setuid and Setgid',
|
||||
'safe': true,
|
||||
'info': 'On Linux systems, attempts to set the setuid and setgid bits of ' +
|
||||
'a new file. ' +
|
||||
'Removes the file afterwards.',
|
||||
'attack_techniques': ['T1166']
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['ScheduleJobs'],
|
||||
'title': 'Job Scheduling',
|
||||
'safe': true,
|
||||
'info': 'Attempts to create a scheduled job on the system and remove it.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['Timestomping'],
|
||||
'title': 'Timestomping',
|
||||
'safe': true,
|
||||
'info': 'Creates a temporary file and attempts to modify its time ' +
|
||||
'attributes. Removes the file afterwards.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['SignedScriptProxyExecution'],
|
||||
'title': 'Signed Script Proxy Execution',
|
||||
'safe': false,
|
||||
'info': 'On Windows systems, attempts to execute an arbitrary file ' +
|
||||
'with the help of a pre-existing signed script.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['AccountDiscovery'],
|
||||
'title': 'Account Discovery',
|
||||
'safe': true,
|
||||
'info': 'Attempts to get a listing of user accounts on the system.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['ClearCommandHistory'],
|
||||
'title': 'Clear Command History',
|
||||
'safe': false,
|
||||
'info': 'Attempts to clear the command history.'
|
||||
},
|
||||
{
|
||||
'type': 'string',
|
||||
'enum': ['ProcessListCollection'],
|
||||
'title': 'Process List Collector',
|
||||
'safe': true,
|
||||
'info': 'Collects a list of running processes on the machine.'
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
}
|
Loading…
Reference in New Issue