Merge branch '2269-add-attack-technique-tags' into develop

PR #2394

monkey/common/tags/__init__.py

@@ -0,0 +1,13 @@
+from .attack import (
+    T1003_ATTACK_TECHNIQUE_TAG,
+    T1005_ATTACK_TECHNIQUE_TAG,
+    T1021_ATTACK_TECHNIQUE_TAG,
+    T1098_ATTACK_TECHNIQUE_TAG,
+    T1105_ATTACK_TECHNIQUE_TAG,
+    T1110_ATTACK_TECHNIQUE_TAG,
+    T1145_ATTACK_TECHNIQUE_TAG,
+    T1203_ATTACK_TECHNIQUE_TAG,
+    T1210_ATTACK_TECHNIQUE_TAG,
+    T1222_ATTACK_TECHNIQUE_TAG,
+    T1570_ATTACK_TECHNIQUE_TAG,
+)

monkey/common/tags/attack.py

@@ -0,0 +1,11 @@
+T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
+T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
+T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021"
+T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
+T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105"
+T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110"
+T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
+T1203_ATTACK_TECHNIQUE_TAG = "attack-t1203"
+T1210_ATTACK_TECHNIQUE_TAG = "attack-t1210"
+T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222"
+T1570_ATTACK_TECHNIQUE_TAG = "attack-t1570"

monkey/infection_monkey/credential_collectors/mimikatz_collector/mimikatz_credential_collector.py

@@ -4,6 +4,7 @@ from typing import Sequence
 from common.agent_events import CredentialsStolenEvent
 from common.credentials import Credentials, LMHash, NTHash, Password, Username
 from common.event_queue import IAgentEventQueue
+from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1005_ATTACK_TECHNIQUE_TAG
 from infection_monkey.i_puppet import ICredentialCollector
 from infection_monkey.model import USERNAME_PREFIX
 from infection_monkey.utils.ids import get_agent_id
@@ -15,8 +16,6 @@ logger = logging.getLogger(__name__)
 
 
 MIMIKATZ_CREDENTIAL_COLLECTOR_TAG = "mimikatz-credentials-collector"
-T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
-T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
 
 MIMIKATZ_EVENT_TAGS = frozenset(
     (
@@ -28,8 +27,8 @@ MIMIKATZ_EVENT_TAGS = frozenset(
 
 
 class MimikatzCredentialCollector(ICredentialCollector):
-    def __init__(self, event_queue: IAgentEventQueue):
-        self._event_queue = event_queue
+    def __init__(self, agent_event_queue: IAgentEventQueue):
+        self._agent_event_queue = agent_event_queue
 
     def collect_credentials(self, options=None) -> Sequence[Credentials]:
         logger.info("Attempting to collect windows credentials with pypykatz.")
@@ -82,4 +81,4 @@ class MimikatzCredentialCollector(ICredentialCollector):
             stolen_credentials=collected_credentials,
         )
 
-        self._event_queue.publish(credentials_stolen_event)
+        self._agent_event_queue.publish(credentials_stolen_event)

monkey/infection_monkey/credential_collectors/ssh_collector/ssh_credential_collector.py

@@ -15,13 +15,15 @@ class SSHCredentialCollector(ICredentialCollector):
     SSH keys credential collector
     """
 
-    def __init__(self, telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue):
+    def __init__(
+        self, telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
+    ):
         self._telemetry_messenger = telemetry_messenger
-        self._event_queue = event_queue
+        self._agent_event_queue = agent_event_queue
 
     def collect_credentials(self, _options=None) -> Sequence[Credentials]:
         logger.info("Started scanning for SSH credentials")
-        ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._event_queue)
+        ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._agent_event_queue)
         logger.info("Finished scanning for SSH credentials")
 
         return ssh_handler.to_credentials(ssh_info)

monkey/infection_monkey/credential_collectors/ssh_collector/ssh_handler.py

@@ -6,6 +6,11 @@ from typing import Dict, Iterable, Sequence
 from common.agent_events import CredentialsStolenEvent
 from common.credentials import Credentials, SSHKeypair, Username
 from common.event_queue import IAgentEventQueue
+from common.tags import (
+    T1003_ATTACK_TECHNIQUE_TAG,
+    T1005_ATTACK_TECHNIQUE_TAG,
+    T1145_ATTACK_TECHNIQUE_TAG,
+)
 from common.utils.attack_utils import ScanStatus
 from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
 from infection_monkey.telemetry.attack.t1145_telem import T1145Telem
@@ -17,9 +22,6 @@ logger = logging.getLogger(__name__)
 
 DEFAULT_DIRS = ["/.ssh/", "/"]
 SSH_CREDENTIAL_COLLECTOR_TAG = "ssh-credentials-collector"
-T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
-T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
-T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
 
 SSH_COLLECTOR_EVENT_TAGS = frozenset(
     (
@@ -32,7 +34,7 @@ SSH_COLLECTOR_EVENT_TAGS = frozenset(
 
 
 def get_ssh_info(
-    telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue
+    telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
 ) -> Iterable[Dict]:
     # TODO: Remove this check when this is turned into a plugin.
     if is_windows_os():
@@ -42,7 +44,7 @@ def get_ssh_info(
         return []
 
     home_dirs = _get_home_dirs()
-    ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, event_queue)
+    ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, agent_event_queue)
 
     return ssh_info
 
@@ -83,7 +85,7 @@ def _get_ssh_struct(name: str, home_dir: str) -> Dict:
 def _get_ssh_files(
     user_info: Iterable[Dict],
     telemetry_messenger: ITelemetryMessenger,
-    event_queue: IAgentEventQueue,
+    agent_event_queue: IAgentEventQueue,
 ) -> Iterable[Dict]:
     for info in user_info:
         path = info["home_dir"]
@@ -125,7 +127,7 @@ def _get_ssh_files(
 
                                             collected_credentials = to_credentials([info])
                                             _publish_credentials_stolen_event(
-                                                collected_credentials, event_queue
+                                                collected_credentials, agent_event_queue
                                             )
                                         else:
                                             continue
@@ -170,7 +172,7 @@ def to_credentials(ssh_info: Iterable[Dict]) -> Sequence[Credentials]:
 
 
 def _publish_credentials_stolen_event(
-    collected_credentials: Credentials, event_queue: IAgentEventQueue
+    collected_credentials: Sequence[Credentials], agent_event_queue: IAgentEventQueue
 ):
     credentials_stolen_event = CredentialsStolenEvent(
         source=get_agent_id(),
@@ -178,4 +180,4 @@ def _publish_credentials_stolen_event(
         stolen_credentials=collected_credentials,
     )
 
-    event_queue.publish(credentials_stolen_event)
+    agent_event_queue.publish(credentials_stolen_event)

monkey/infection_monkey/exploit/zerologon.py

@@ -18,6 +18,7 @@ from impacket.dcerpc.v5.dtypes import NULL
 from common.agent_events import CredentialsStolenEvent
 from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
 from common.credentials import Credentials, LMHash, NTHash, Username
+from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG
 from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.tools.wmi_tools import WmiTools
 from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
@@ -32,9 +33,6 @@ from infection_monkey.utils.threading import interruptible_iter
 logger = logging.getLogger(__name__)
 
 ZEROLOGON_EXPLOITER_TAG = "zerologon-exploiter"
-T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
-T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
-
 
 ZEROLOGON_EVENT_TAGS = frozenset(
     {
@@ -315,7 +313,7 @@ class ZerologonExploiter(HostExploiter):
             tags=ZEROLOGON_EVENT_TAGS,
             stolen_credentials=extracted_credentials,
         )
-        self.event_queue.publish(credentials_stolen_event)
+        self.agent_event_queue.publish(credentials_stolen_event)
 
     def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> Optional[str]:
         if not self.save_HKLM_keys_locally(username, user_pwd_hashes):

vulture_allowlist.py

@@ -9,11 +9,17 @@ from common.agent_configuration.agent_sub_configurations import (
 )
 from common.agent_events import ExploitationEvent, PingScanEvent, PropagationEvent, TCPScanEvent
 from common.credentials import Credentials, LMHash, NTHash
-from infection_monkey.exploit.HostExploiter.HostExploiter import (
-    _publish_exploitation_event,
-    _publish_propagation_event,
+from common.tags import (
+    T1021_ATTACK_TECHNIQUE_TAG,
+    T1105_ATTACK_TECHNIQUE_TAG,
+    T1110_ATTACK_TECHNIQUE_TAG,
+    T1203_ATTACK_TECHNIQUE_TAG,
+    T1210_ATTACK_TECHNIQUE_TAG,
+    T1222_ATTACK_TECHNIQUE_TAG,
+    T1570_ATTACK_TECHNIQUE_TAG,
 )
 from common.types import NetworkPort, NetworkService
+from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory
 from monkey_island.cc.models import Machine, Node, Report
 from monkey_island.cc.models.networkmap import Arc, NetworkMap
@@ -319,8 +325,17 @@ TCPScanEvent
 TCPScanEvent.port_status
 
 # TODO: Remove once #2269 is close
-_publish_exploitation_event,
-_publish_propagation_event,
+PropagationEvent
+ExploitationEvent
+T1021_ATTACK_TECHNIQUE_TAG
+T1105_ATTACK_TECHNIQUE_TAG
+T1110_ATTACK_TECHNIQUE_TAG
+T1203_ATTACK_TECHNIQUE_TAG
+T1210_ATTACK_TECHNIQUE_TAG
+T1222_ATTACK_TECHNIQUE_TAG
+T1570_ATTACK_TECHNIQUE_TAG
+HostExploiter._publish_propagation_event
+HostExploiter._publish_exploitation_event
 
 # pydantic base models
 underscore_attrs_are_private