Agent: Revise Powershell publishing of events

2022-10-06 16:03:15 +02:00 · 2022-10-06 16:03:15 +02:00 · ac11d159fe
parent 39bada5bb1
commit ac11d159fe
1 changed files with 22 additions and 15 deletions
--- a/monkey/infection_monkey/exploit/powershell.py
+++ b/monkey/infection_monkey/exploit/powershell.py
@ -1,5 +1,6 @@
 import logging
 from pathlib import Path, PurePath
+from time import time
 from typing import List, Optional

 from common import OperatingSystem
@ -27,12 +28,6 @@ from infection_monkey.utils.threading import interruptible_iter

 logger = logging.getLogger(__name__)
 POWERSHELL_EXPLOITER_TAG = "powershell-exploiter"
-EXPLOITER_TAGS = (POWERSHELL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG)
-PROPAGATION_TAGS = (
-    POWERSHELL_EXPLOITER_TAG,
-    T1059_ATTACK_TECHNIQUE_TAG,
-    T1105_ATTACK_TECHNIQUE_TAG,
-)


 class RemoteAgentCopyError(Exception):
@ -46,6 +41,17 @@ class RemoteAgentExecutionError(Exception):
 class PowerShellExploiter(HostExploiter):
    _EXPLOITED_SERVICE = "PowerShell Remoting (WinRM)"

+    _EXPLOITER_TAGS = (
+        POWERSHELL_EXPLOITER_TAG,
+        T1059_ATTACK_TECHNIQUE_TAG,
+        T1110_ATTACK_TECHNIQUE_TAG,
+    )
+    _PROPAGATION_TAGS = (
+        POWERSHELL_EXPLOITER_TAG,
+        T1059_ATTACK_TECHNIQUE_TAG,
+        T1105_ATTACK_TECHNIQUE_TAG,
+    )
+
    def __init__(self):
        super().__init__()
        self._client = None
@ -80,16 +86,19 @@ class PowerShellExploiter(HostExploiter):
            )
            return self.exploit_result

+        timestamp = time()
        try:
            self._execute_monkey_agent_on_victim()
-        except Exception as ex:
-            self._publish_propagation_event(self.host.ip_addr, False, PROPAGATION_TAGS, str(ex))
-            logger.error(f"Failed to propagate to the remote host: {ex}")
-            self.exploit_result.error_message = str(ex)
+        except Exception as err:
+            self.exploit_result.error_message = f"Failed to propagate to the remote host: {err}"
+            self._publish_propagation_event(
+                time=timestamp, success=False, error_message=self.exploit_result.error_message
+            )
+            logger.error(self.exploit_result.error_message)
            return self.exploit_result

        self.exploit_result.propagation_success = True
-        self._publish_propagation_event(self.host.ip_addr, True, PROPAGATION_TAGS)
+        self._publish_propagation_event(timestamp, True)

        return self.exploit_result

@ -116,7 +125,7 @@ class PowerShellExploiter(HostExploiter):
                    f"{creds.username}, Secret Type: {creds.secret_type.name}"
                )

-                self._publish_exploitation_event(self.host.ip_addr, True, EXPLOITER_TAGS)
+                self._publish_exploitation_event(success=True)
                self.exploit_result.exploitation_success = True
                self._report_login_attempt(True, creds)

@ -127,9 +136,7 @@ class PowerShellExploiter(HostExploiter):
                    f"{creds.username}, SecretType: {creds.secret_type.name} -- Error: {ex}"
                )
                logger.debug(error_message)
-                self._publish_exploitation_event(
-                    self.host.ip_addr, False, EXPLOITER_TAGS, error_message
-                )
+                self._publish_exploitation_event(success=False, error_message=error_message)
                self._report_login_attempt(False, creds)

        return None