Agent: Modify Zerologon to publish CredentialsStolenEvent

2022-08-15 17:58:05 +02:00 · 2022-08-15 17:58:05 +02:00 · 76bbe62c3b
parent f171e548f3
commit 76bbe62c3b
1 changed files with 20 additions and 8 deletions
--- a/monkey/infection_monkey/exploit/zerologon.py
+++ b/monkey/infection_monkey/exploit/zerologon.py
@ -9,7 +9,8 @@ import os
 import re
 import tempfile
 from binascii import unhexlify
-from typing import Dict, List, Optional, Tuple
+from time import time
+from typing import Dict, List, Optional, Sequence, Tuple

 import impacket
 from impacket.dcerpc.v5 import epm, nrpc, rpcrt, transport
@ -17,6 +18,8 @@ from impacket.dcerpc.v5.dtypes import NULL

 from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
 from common.credentials import Credentials, LMHash, NTHash, Username
+from common.events import CredentialsStolenEvent
+from infection_monkey.config import IGUID
 from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.tools.wmi_tools import WmiTools
 from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
@ -284,14 +287,23 @@ class ZerologonExploiter(HostExploiter):
    def send_extracted_creds_as_credential_telemetry(
        self, user: str, lmhash: str, nthash: str
    ) -> None:
-        self.telemetry_messenger.send_telemetry(
-            CredentialsTelem(
-                [
-                    Credentials(Username(user), LMHash(lmhash)),
-                    Credentials(Username(user), NTHash(nthash)),
-                ]
-            )
+        extracted_credentials = [
+            Credentials(Username(user), LMHash(lmhash)),
+            Credentials(Username(user), NTHash(nthash)),
+        ]
+
+        self.telemetry_messenger.send_telemetry(CredentialsTelem(extracted_credentials))
+        self._publish_credentials_stolen_event(extracted_credentials)
+
+    def _publish_credentials_stolen_event(self, extracted_credentials: Sequence[Credentials]):
+        credentials_stolen_event = CredentialsStolenEvent(
+            source=IGUID,
+            target=None,
+            timestamp=time(),
+            tags=({"ZerologonCredentialsStolen"}),
+            stolen_credentials=extracted_credentials,
        )
+        self.event_queue.publish(credentials_stolen_event)

    def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> str:
        if not self.save_HKLM_keys_locally(username, user_pwd_hashes):