forked from p15670423/monkey
Code review changes
- break down `get_linux_commands_to_clear_command_history()` to separate functions - keep technique off by default - technique message changes - other tiny changes
This commit is contained in:
parent
e25e913e86
commit
7950b246aa
|
@ -1,7 +1,12 @@
|
||||||
from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import \
|
from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import (
|
||||||
get_linux_commands_to_clear_command_history
|
get_linux_command_history_files,
|
||||||
|
get_linux_commands_to_clear_command_history, get_linux_usernames)
|
||||||
|
|
||||||
|
|
||||||
def get_commands_to_clear_command_history():
|
def get_commands_to_clear_command_history():
|
||||||
linux_cmds = get_linux_commands_to_clear_command_history()
|
(linux_cmds,
|
||||||
return linux_cmds
|
linux_cmd_hist_files,
|
||||||
|
linux_usernames) = (get_linux_commands_to_clear_command_history(),
|
||||||
|
get_linux_command_history_files(),
|
||||||
|
get_linux_usernames())
|
||||||
|
return linux_cmds, linux_cmd_hist_files, linux_usernames
|
||||||
|
|
|
@ -2,21 +2,31 @@ import subprocess
|
||||||
|
|
||||||
from infection_monkey.utils.environment import is_windows_os
|
from infection_monkey.utils.environment import is_windows_os
|
||||||
|
|
||||||
TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file'
|
|
||||||
|
|
||||||
|
|
||||||
def get_linux_commands_to_clear_command_history():
|
def get_linux_commands_to_clear_command_history():
|
||||||
if is_windows_os():
|
if is_windows_os():
|
||||||
return '', [], []
|
return ''
|
||||||
|
|
||||||
|
TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file'
|
||||||
|
|
||||||
|
return [
|
||||||
|
'3<{0} 3<&- && ', # check for existence of file
|
||||||
|
'cat {0} ' # copy contents of history file to...
|
||||||
|
f'> {TEMP_HIST_FILE} && ', # ...temporary file
|
||||||
|
'echo > {0} && ', # clear contents of file
|
||||||
|
'echo \"Successfully cleared {0}\" && ', # if successfully cleared
|
||||||
|
f'cat {TEMP_HIST_FILE} ', # restore history file back with...
|
||||||
|
'> {0} ;' # ...original contents
|
||||||
|
f'rm {TEMP_HIST_FILE} -f' # remove temp history file
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def get_linux_command_history_files():
|
||||||
|
if is_windows_os():
|
||||||
|
return []
|
||||||
|
|
||||||
HOME_DIR = "/home/"
|
HOME_DIR = "/home/"
|
||||||
|
|
||||||
# get list of usernames
|
|
||||||
USERS = subprocess.check_output( # noqa: DUO116
|
|
||||||
"cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1",
|
|
||||||
shell=True
|
|
||||||
).decode().split('\n')[:-1]
|
|
||||||
|
|
||||||
# get list of paths of different shell history files (default values) with place for username
|
# get list of paths of different shell history files (default values) with place for username
|
||||||
STARTUP_FILES = [
|
STARTUP_FILES = [
|
||||||
file_path.format(HOME_DIR) for file_path in
|
file_path.format(HOME_DIR) for file_path in
|
||||||
|
@ -29,13 +39,17 @@ def get_linux_commands_to_clear_command_history():
|
||||||
]
|
]
|
||||||
]
|
]
|
||||||
|
|
||||||
return [
|
return STARTUP_FILES
|
||||||
'3<{0} 3<&- && ', # check for existence of file
|
|
||||||
'cat {0} ' # copy contents of history file to...
|
|
||||||
f'> {TEMP_HIST_FILE} && ', # ...temporary file
|
def get_linux_usernames():
|
||||||
'echo > {0} && ', # clear contents of file
|
if is_windows_os():
|
||||||
'echo \"Successfully cleared {0}\" && ', # if successfully cleared
|
return []
|
||||||
f'cat {TEMP_HIST_FILE} ', # restore history file back with...
|
|
||||||
'> {0} ;' # ...original contents
|
# get list of usernames
|
||||||
f'rm {TEMP_HIST_FILE} -f' # remove temp history file
|
USERS = subprocess.check_output( # noqa: DUO116
|
||||||
], STARTUP_FILES, USERS
|
"cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1",
|
||||||
|
shell=True
|
||||||
|
).decode().split('\n')[:-1]
|
||||||
|
|
||||||
|
return USERS
|
||||||
|
|
|
@ -171,7 +171,7 @@ SCHEMA = {
|
||||||
"T1146": {
|
"T1146": {
|
||||||
"title": "Clear command history",
|
"title": "Clear command history",
|
||||||
"type": "bool",
|
"type": "bool",
|
||||||
"value": True,
|
"value": False,
|
||||||
"necessary": False,
|
"necessary": False,
|
||||||
"link": "https://attack.mitre.org/techniques/T1146",
|
"link": "https://attack.mitre.org/techniques/T1146",
|
||||||
"description": "Adversaries may clear/disable command history of a compromised "
|
"description": "Adversaries may clear/disable command history of a compromised "
|
||||||
|
|
|
@ -7,9 +7,9 @@ __author__ = "shreyamalviya"
|
||||||
|
|
||||||
class T1146(PostBreachTechnique):
|
class T1146(PostBreachTechnique):
|
||||||
tech_id = "T1146"
|
tech_id = "T1146"
|
||||||
unscanned_msg = "Monkey didn't try clearing/disabling the command history since it didn't run on any Linux machines."
|
unscanned_msg = "Monkey didn't try clearing the command history since it didn't run on any Linux machines."
|
||||||
scanned_msg = "Monkey tried clearing/disabling the command history but failed."
|
scanned_msg = "Monkey tried clearing the command history but failed."
|
||||||
used_msg = "Monkey successfully cleared/disabled the command history."
|
used_msg = "Monkey successfully cleared the command history (and then restored it back)."
|
||||||
pba_names = [POST_BREACH_CLEAR_CMD_HISTORY]
|
pba_names = [POST_BREACH_CLEAR_CMD_HISTORY]
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -67,8 +67,7 @@ MONKEY = {
|
||||||
"HiddenFiles",
|
"HiddenFiles",
|
||||||
"TrapCommand",
|
"TrapCommand",
|
||||||
"ChangeSetuidSetgid",
|
"ChangeSetuidSetgid",
|
||||||
"ScheduleJobs",
|
"ScheduleJobs"
|
||||||
"ClearCommandHistory"
|
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,7 +56,7 @@ function aggregateMultipleResultsPba(results) {
|
||||||
return results;
|
return results;
|
||||||
|
|
||||||
// if modifications were made, push aggregated results to `results` and return
|
// if modifications were made, push aggregated results to `results` and return
|
||||||
results = results.filter(result => result.name !== SHELL_STARTUP_NAME && result.name !== CMD_HISTORY_NAME);
|
results = results.filter(result => !multipleResultsPbas.includes(result.name));
|
||||||
multipleResultsPbas.forEach(pba => checkAggregatedResults(pba));
|
multipleResultsPbas.forEach(pba => checkAggregatedResults(pba));
|
||||||
return results;
|
return results;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue