Merge pull request #796 from shreyamalviya/T1099

Add T1099 attack technique (timestomping)
This commit is contained in:
Shreya Malviya 2020-08-31 17:21:56 +05:30 committed by GitHub
commit 836647eadf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 146 additions and 10 deletions

View File

@ -6,6 +6,7 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories"
POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received" POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received"
POST_BREACH_SETUID_SETGID = "Setuid and Setgid" POST_BREACH_SETUID_SETGID = "Setuid and Setgid"
POST_BREACH_JOB_SCHEDULING = "Schedule jobs" POST_BREACH_JOB_SCHEDULING = "Schedule jobs"
POST_BREACH_TIMESTOMPING = "Modify files' timestamps"
POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC = "Signed script proxy execution" POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC = "Signed script proxy execution"
POST_BREACH_ACCOUNT_DISCOVERY = "Account discovery" POST_BREACH_ACCOUNT_DISCOVERY = "Account discovery"
POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history" POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history"

View File

@ -0,0 +1,12 @@
from common.data.post_breach_consts import POST_BREACH_TIMESTOMPING
from infection_monkey.post_breach.pba import PBA
from infection_monkey.post_breach.timestomping.timestomping import \
get_timestomping_commands
class Timestomping(PBA):
def __init__(self):
linux_cmds, windows_cmds = get_timestomping_commands()
super().__init__(POST_BREACH_TIMESTOMPING,
linux_cmd=linux_cmds,
windows_cmd=windows_cmds)

View File

@ -0,0 +1,14 @@
TEMP_FILE = 'monkey-timestomping-file.txt'
TIMESTAMP_EPOCH = '197001010000.00'
def get_linux_timestomping_commands():
return [
f'echo "Successfully changed a file\'s modification timestamp" > {TEMP_FILE} && '
f'touch -m -t {TIMESTAMP_EPOCH} {TEMP_FILE} && '
f'cat {TEMP_FILE} ; '
f'rm {TEMP_FILE} -f'
]
# Commands' source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md

View File

@ -0,0 +1,10 @@
from infection_monkey.post_breach.timestomping.linux.timestomping import \
get_linux_timestomping_commands
from infection_monkey.post_breach.timestomping.windows.timestomping import \
get_windows_timestomping_commands
def get_timestomping_commands():
linux_cmds = get_linux_timestomping_commands()
windows_cmds = get_windows_timestomping_commands()
return linux_cmds, windows_cmds

View File

@ -0,0 +1,13 @@
$TEMP_FILE = 'monkey-timestomping-file.txt'
$TIMESTAMP_EPOCH = '01/01/1970 00:00:00'
# create temporary file
New-Item -Path $TEMP_FILE -Force | Out-Null
Set-Content $TEMP_FILE -Value "Successfully changed a file's modification timestamp" -Force | Out-Null
# attempt to change modification timestamp
Get-ChildItem $TEMP_FILE | % { $_.LastWriteTime = $TIMESTAMP_EPOCH }
Get-Content $TEMP_FILE
# remove temporary file
Remove-Item $TEMP_FILE -Force -ErrorAction Ignore

View File

@ -0,0 +1,8 @@
TEMP_FILE = 'monkey-timestomping-file.txt'
def get_windows_timestomping_commands():
return 'powershell.exe infection_monkey/post_breach/timestomping/windows/timestomping.ps1'
# Commands' source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md

View File

@ -11,16 +11,16 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005,
T1065, T1075, T1065, T1075,
T1082, T1086, T1082, T1086,
T1087, T1090, T1087, T1090,
T1105, T1106, T1099, T1105,
T1107, T1110, T1106, T1107,
T1129, T1136, T1110, T1129,
T1145, T1146, T1136, T1145,
T1154, T1156, T1146, T1154,
T1158, T1166, T1156, T1158,
T1168, T1188, T1166, T1168,
T1197, T1210, T1188, T1197,
T1216, T1222, T1210, T1216,
T1504) T1222, T1504)
from monkey_island.cc.services.reporting.report_generation_synchronisation import \ from monkey_island.cc.services.reporting.report_generation_synchronisation import \
safe_generate_attack_report safe_generate_attack_report
@ -60,6 +60,7 @@ TECHNIQUES = {'T1210': T1210.T1210,
'T1166': T1166.T1166, 'T1166': T1166.T1166,
'T1168': T1168.T1168, 'T1168': T1168.T1168,
'T1053': T1053.T1053, 'T1053': T1053.T1053,
'T1099': T1099.T1099,
'T1216': T1216.T1216, 'T1216': T1216.T1216,
'T1087': T1087.T1087, 'T1087': T1087.T1087,
'T1146': T1146.T1146 'T1146': T1146.T1146

View File

@ -195,6 +195,15 @@ SCHEMA = {
"link": "https://attack.mitre.org/techniques/T1222", "link": "https://attack.mitre.org/techniques/T1222",
"description": "Adversaries may modify file permissions/attributes to evade intended DACLs." "description": "Adversaries may modify file permissions/attributes to evade intended DACLs."
}, },
"T1099": {
"title": "Timestomping",
"type": "bool",
"value": True,
"necessary": False,
"link": "https://attack.mitre.org/techniques/T1099",
"description": "Adversaries may modify file time attributes to hide new/changes to existing "
"files to avoid attention from forensic investigators or file analysis tools."
},
"T1216": { "T1216": {
"title": "Signed script proxy execution", "title": "Signed script proxy execution",
"type": "bool", "type": "bool",

View File

@ -0,0 +1,13 @@
from common.data.post_breach_consts import POST_BREACH_TIMESTOMPING
from monkey_island.cc.services.attack.technique_reports.pba_technique import \
PostBreachTechnique
__author__ = "shreyamalviya"
class T1099(PostBreachTechnique):
tech_id = "T1099"
unscanned_msg = "Monkey didn't try changing any file's time attributes."
scanned_msg = "Monkey tried changing a file's time attributes but failed."
used_msg = "Monkey successfully changed a file's time attributes."
pba_names = [POST_BREACH_TIMESTOMPING]

View File

@ -71,6 +71,15 @@ POST_BREACH_ACTIONS = {
"info": "Attempts to create a scheduled job on the system and remove it.", "info": "Attempts to create a scheduled job on the system and remove it.",
"attack_techniques": ["T1168", "T1053"] "attack_techniques": ["T1168", "T1053"]
}, },
{
"type": "string",
"enum": [
"Timestomping"
],
"title": "Timestomping",
"info": "Creates a temporary file and attempts to modify its time attributes. Removes the file afterwards.",
"attack_techniques": ["T1099"]
},
{ {
"type": "string", "type": "string",
"enum": [ "enum": [

View File

@ -68,6 +68,7 @@ MONKEY = {
"TrapCommand", "TrapCommand",
"ChangeSetuidSetgid", "ChangeSetuidSetgid",
"ScheduleJobs", "ScheduleJobs",
"Timestomping",
"AccountDiscovery" "AccountDiscovery"
] ]
}, },

View File

@ -0,0 +1,45 @@
import React from 'react';
import ReactTable from 'react-table';
import {renderMachineFromSystemData, ScanStatus} from './Helpers';
import MitigationsComponent from './MitigationsComponent';
class T1099 extends React.Component {
constructor(props) {
super(props);
}
static getColumns() {
return ([{
columns: [
{ Header: 'Machine',
id: 'machine',
accessor: x => renderMachineFromSystemData(x.machine),
style: {'whiteSpace': 'unset'}},
{ Header: 'Result',
id: 'result',
accessor: x => x.result,
style: {'whiteSpace': 'unset'}}
]
}])
}
render() {
return (
<div>
<div>{this.props.data.message}</div>
<br/>
{this.props.data.status === ScanStatus.USED ?
<ReactTable
columns={T1099.getColumns()}
data={this.props.data.info}
showPagination={false}
defaultPageSize={this.props.data.info.length}
/> : ''}
<MitigationsComponent mitigations={this.props.data.mitigations}/>
</div>
);
}
}
export default T1099;