p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch '2269-add-attack-technique-tags' into develop 

PR #2394
This commit is contained in:
Mike Salvatore 2022-10-05 08:25:51 -04:00
parent 82217b4094 63f869d296
commit 73a8c14397
7 changed files with 66 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
monkey/common/tags/__init__.py Normal file
View File

@ -0,0 +1,13 @@
from .attack import (
T1003_ATTACK_TECHNIQUE_TAG,
T1005_ATTACK_TECHNIQUE_TAG,
T1021_ATTACK_TECHNIQUE_TAG,
T1098_ATTACK_TECHNIQUE_TAG,
T1105_ATTACK_TECHNIQUE_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
T1145_ATTACK_TECHNIQUE_TAG,
T1203_ATTACK_TECHNIQUE_TAG,
T1210_ATTACK_TECHNIQUE_TAG,
T1222_ATTACK_TECHNIQUE_TAG,
T1570_ATTACK_TECHNIQUE_TAG,
)

11
monkey/common/tags/attack.py Normal file
View File

@ -0,0 +1,11 @@
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021"
T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105"
T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110"
T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
T1203_ATTACK_TECHNIQUE_TAG = "attack-t1203"
T1210_ATTACK_TECHNIQUE_TAG = "attack-t1210"
T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222"
T1570_ATTACK_TECHNIQUE_TAG = "attack-t1570"

9
monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py
View File

@ -4,6 +4,7 @@ from typing import Sequence
from common.agent_events import CredentialsStolenEvent from common.agent_events import CredentialsStolenEvent
from common.credentials import Credentials, LMHash, NTHash, Password, Username from common.credentials import Credentials, LMHash, NTHash, Password, Username
from common.event_queue import IAgentEventQueue from common.event_queue import IAgentEventQueue
from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1005_ATTACK_TECHNIQUE_TAG
from infection_monkey.i_puppet import ICredentialCollector from infection_monkey.i_puppet import ICredentialCollector
from infection_monkey.model import USERNAME_PREFIX from infection_monkey.model import USERNAME_PREFIX
from infection_monkey.utils.ids import get_agent_id from infection_monkey.utils.ids import get_agent_id
@ -15,8 +16,6 @@ logger = logging.getLogger(__name__)
MIMIKATZ_CREDENTIAL_COLLECTOR_TAG = "mimikatz-credentials-collector" MIMIKATZ_CREDENTIAL_COLLECTOR_TAG = "mimikatz-credentials-collector"
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
MIMIKATZ_EVENT_TAGS = frozenset( MIMIKATZ_EVENT_TAGS = frozenset(
( (
@ -28,8 +27,8 @@ MIMIKATZ_EVENT_TAGS = frozenset(
class MimikatzCredentialCollector(ICredentialCollector): class MimikatzCredentialCollector(ICredentialCollector):
def __init__(self, event_queue: IAgentEventQueue): def __init__(self, agent_event_queue: IAgentEventQueue):
self._event_queue = event_queue self._agent_event_queue = agent_event_queue
def collect_credentials(self, options=None) -> Sequence[Credentials]: def collect_credentials(self, options=None) -> Sequence[Credentials]:
logger.info("Attempting to collect windows credentials with pypykatz.") logger.info("Attempting to collect windows credentials with pypykatz.")
@ -82,4 +81,4 @@ class MimikatzCredentialCollector(ICredentialCollector):
stolen_credentials=collected_credentials, stolen_credentials=collected_credentials,
) )
self._event_queue.publish(credentials_stolen_event) self._agent_event_queue.publish(credentials_stolen_event)

8
monkey/infection_monkey/credential_collectors/ssh_collector/ssh_credential_collector.py
View File

@ -15,13 +15,15 @@ class SSHCredentialCollector(ICredentialCollector):
SSH keys credential collector SSH keys credential collector
""" """
def __init__(self, telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue): def __init__(
self, telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
):
self._telemetry_messenger = telemetry_messenger self._telemetry_messenger = telemetry_messenger
self._event_queue = event_queue self._agent_event_queue = agent_event_queue
def collect_credentials(self, _options=None) -> Sequence[Credentials]: def collect_credentials(self, _options=None) -> Sequence[Credentials]:
logger.info("Started scanning for SSH credentials") logger.info("Started scanning for SSH credentials")
ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._event_queue) ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._agent_event_queue)
logger.info("Finished scanning for SSH credentials") logger.info("Finished scanning for SSH credentials")
return ssh_handler.to_credentials(ssh_info) return ssh_handler.to_credentials(ssh_info)

20
monkey/infection_monkey/credential_collectors/ssh_collector/ssh_handler.py
View File

@ -6,6 +6,11 @@ from typing import Dict, Iterable, Sequence
from common.agent_events import CredentialsStolenEvent from common.agent_events import CredentialsStolenEvent
from common.credentials import Credentials, SSHKeypair, Username from common.credentials import Credentials, SSHKeypair, Username
from common.event_queue import IAgentEventQueue from common.event_queue import IAgentEventQueue
from common.tags import (
T1003_ATTACK_TECHNIQUE_TAG,
T1005_ATTACK_TECHNIQUE_TAG,
T1145_ATTACK_TECHNIQUE_TAG,
)
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
from infection_monkey.telemetry.attack.t1145_telem import T1145Telem from infection_monkey.telemetry.attack.t1145_telem import T1145Telem
@ -17,9 +22,6 @@ logger = logging.getLogger(__name__)
DEFAULT_DIRS = ["/.ssh/", "/"] DEFAULT_DIRS = ["/.ssh/", "/"]
SSH_CREDENTIAL_COLLECTOR_TAG = "ssh-credentials-collector" SSH_CREDENTIAL_COLLECTOR_TAG = "ssh-credentials-collector"
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
SSH_COLLECTOR_EVENT_TAGS = frozenset( SSH_COLLECTOR_EVENT_TAGS = frozenset(
( (
@ -32,7 +34,7 @@ SSH_COLLECTOR_EVENT_TAGS = frozenset(
def get_ssh_info( def get_ssh_info(
telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
) -> Iterable[Dict]: ) -> Iterable[Dict]:
# TODO: Remove this check when this is turned into a plugin. # TODO: Remove this check when this is turned into a plugin.
if is_windows_os(): if is_windows_os():
@ -42,7 +44,7 @@ def get_ssh_info(
return [] return []
home_dirs = _get_home_dirs() home_dirs = _get_home_dirs()
ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, event_queue) ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, agent_event_queue)
return ssh_info return ssh_info
@ -83,7 +85,7 @@ def _get_ssh_struct(name: str, home_dir: str) -> Dict:
def _get_ssh_files( def _get_ssh_files(
user_info: Iterable[Dict], user_info: Iterable[Dict],
telemetry_messenger: ITelemetryMessenger, telemetry_messenger: ITelemetryMessenger,
event_queue: IAgentEventQueue, agent_event_queue: IAgentEventQueue,
) -> Iterable[Dict]: ) -> Iterable[Dict]:
for info in user_info: for info in user_info:
path = info["home_dir"] path = info["home_dir"]
@ -125,7 +127,7 @@ def _get_ssh_files(
collected_credentials = to_credentials([info]) collected_credentials = to_credentials([info])
_publish_credentials_stolen_event( _publish_credentials_stolen_event(
collected_credentials, event_queue collected_credentials, agent_event_queue
) )
else: else:
continue continue
@ -170,7 +172,7 @@ def to_credentials(ssh_info: Iterable[Dict]) -> Sequence[Credentials]:
def _publish_credentials_stolen_event( def _publish_credentials_stolen_event(
collected_credentials: Credentials, event_queue: IAgentEventQueue collected_credentials: Sequence[Credentials], agent_event_queue: IAgentEventQueue
): ):
credentials_stolen_event = CredentialsStolenEvent( credentials_stolen_event = CredentialsStolenEvent(
source=get_agent_id(), source=get_agent_id(),
@ -178,4 +180,4 @@ def _publish_credentials_stolen_event(
stolen_credentials=collected_credentials, stolen_credentials=collected_credentials,
) )
event_queue.publish(credentials_stolen_event) agent_event_queue.publish(credentials_stolen_event)

6
monkey/infection_monkey/exploit/zerologon.py
View File

@ -18,6 +18,7 @@ from impacket.dcerpc.v5.dtypes import NULL
from common.agent_events import CredentialsStolenEvent from common.agent_events import CredentialsStolenEvent
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
from common.credentials import Credentials, LMHash, NTHash, Username from common.credentials import Credentials, LMHash, NTHash, Username
from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG
from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.wmi_tools import WmiTools from infection_monkey.exploit.tools.wmi_tools import WmiTools
from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
@ -32,9 +33,6 @@ from infection_monkey.utils.threading import interruptible_iter
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
ZEROLOGON_EXPLOITER_TAG = "zerologon-exploiter" ZEROLOGON_EXPLOITER_TAG = "zerologon-exploiter"
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
ZEROLOGON_EVENT_TAGS = frozenset( ZEROLOGON_EVENT_TAGS = frozenset(
{ {
@ -315,7 +313,7 @@ class ZerologonExploiter(HostExploiter):
tags=ZEROLOGON_EVENT_TAGS, tags=ZEROLOGON_EVENT_TAGS,
stolen_credentials=extracted_credentials, stolen_credentials=extracted_credentials,
) )
self.event_queue.publish(credentials_stolen_event) self.agent_event_queue.publish(credentials_stolen_event)
def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> Optional[str]: def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> Optional[str]:
if not self.save_HKLM_keys_locally(username, user_pwd_hashes): if not self.save_HKLM_keys_locally(username, user_pwd_hashes):

25
vulture_allowlist.py
View File

@ -9,11 +9,17 @@ from common.agent_configuration.agent_sub_configurations import (
) )
from common.agent_events import ExploitationEvent, PingScanEvent, PropagationEvent, TCPScanEvent from common.agent_events import ExploitationEvent, PingScanEvent, PropagationEvent, TCPScanEvent
from common.credentials import Credentials, LMHash, NTHash from common.credentials import Credentials, LMHash, NTHash
from infection_monkey.exploit.HostExploiter.HostExploiter import ( from common.tags import (
_publish_exploitation_event, T1021_ATTACK_TECHNIQUE_TAG,
_publish_propagation_event, T1105_ATTACK_TECHNIQUE_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
T1203_ATTACK_TECHNIQUE_TAG,
T1210_ATTACK_TECHNIQUE_TAG,
T1222_ATTACK_TECHNIQUE_TAG,
T1570_ATTACK_TECHNIQUE_TAG,
) )
from common.types import NetworkPort, NetworkService from common.types import NetworkPort, NetworkService
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory
from monkey_island.cc.models import Machine, Node, Report from monkey_island.cc.models import Machine, Node, Report
from monkey_island.cc.models.networkmap import Arc, NetworkMap from monkey_island.cc.models.networkmap import Arc, NetworkMap
@ -319,8 +325,17 @@ TCPScanEvent
TCPScanEvent.port_status TCPScanEvent.port_status
# TODO: Remove once #2269 is close # TODO: Remove once #2269 is close
_publish_exploitation_event, PropagationEvent
_publish_propagation_event, ExploitationEvent
T1021_ATTACK_TECHNIQUE_TAG
T1105_ATTACK_TECHNIQUE_TAG
T1110_ATTACK_TECHNIQUE_TAG
T1203_ATTACK_TECHNIQUE_TAG
T1210_ATTACK_TECHNIQUE_TAG
T1222_ATTACK_TECHNIQUE_TAG
T1570_ATTACK_TECHNIQUE_TAG
HostExploiter._publish_propagation_event
HostExploiter._publish_exploitation_event
# pydantic base models # pydantic base models
underscore_attrs_are_private underscore_attrs_are_private