From 48abfcab6831ad94618ff6d007a79a58810a49e3 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 19 Mar 2020 15:05:27 +0200 Subject: [PATCH 1/3] Fixed credential dumping --- .../cc/services/attack/technique_reports/T1003.py | 3 +++ .../cc/ui/src/components/attack/techniques/T1003.js | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py index 8039a2e76..f3bd9b180 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1003.py @@ -1,4 +1,5 @@ from monkey_island.cc.services.attack.technique_reports import AttackTechnique +from monkey_island.cc.services.reporting.report import ReportService from common.utils.attack_utils import ScanStatus from monkey_island.cc.database import mongo @@ -23,4 +24,6 @@ class T1003(AttackTechnique): else: status = ScanStatus.UNSCANNED.value data.update(T1003.get_message_and_status(status)) + data['stolen_creds'] = ReportService.get_stolen_creds() + data['stolen_creds'].extend(ReportService.get_ssh_keys()) return data diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js index 5615c7039..c9c127574 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1003.js @@ -17,7 +17,7 @@ class T1003 extends React.Component {
{this.props.data.status === ScanStatus.USED ? + data={this.props.data.stolen_creds}/> : ''} ); From b4112f024fd73b899467f494c1cbdaebeb461bcb Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 19 Mar 2020 15:41:49 +0200 Subject: [PATCH 2/3] Fixed system info collection attack technique --- .../cc/services/attack/technique_reports/T1082.py | 2 +- .../ui/src/components/attack/techniques/Helpers.js | 13 ++++++++++--- .../cc/ui/src/components/attack/techniques/T1082.js | 11 ++++++----- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py index 726910789..1aaef57f4 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1082.py @@ -11,7 +11,7 @@ class T1082(AttackTechnique): scanned_msg = "" used_msg = "Monkey gathered system info from machines in the network." - query = [{'$match': {'telem_category': 'system_info'}}, + query = [{'$match': {'telem_category': 'system_info', 'data.network_info': {'$exists': True}}}, {'$project': {'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'}, 'aws': '$data.aws', 'netstat': '$data.network_info.netstat', diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js index a8847cc0f..ebe12f25b 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/Helpers.js @@ -9,7 +9,10 @@ export function renderMachine(val) { /* Function takes data gathered from system info collector and creates a string representation of machine from that data. */ export function renderMachineFromSystemData(data) { - let machineStr = data['hostname'] + ' ( '; + let machineStr = ''; + if (typeof data['hostname'] !== 'undefined') { + machineStr = data['hostname'] + ' ( '; + } data['ips'].forEach(function (ipInfo) { if (typeof ipInfo === 'object') { machineStr += ipInfo['addr'] + ', '; @@ -17,8 +20,12 @@ export function renderMachineFromSystemData(data) { machineStr += ipInfo + ', '; } }); - // Replaces " ," with " )" to finish a list of IP's - return machineStr.slice(0, -2) + ' )' + if (typeof data['hostname'] !== 'undefined') { + return machineStr.slice(0, -2) + ' )'; + } else { + // Replaces " ," with " )" to finish a list of IP's + return machineStr.slice(0, -2); + } } /* Formats telemetry data that contains _id.machine and _id.usage fields into columns diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js index 308a18c10..27dec053e 100644 --- a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1082.js @@ -12,13 +12,14 @@ class T1082 extends React.Component { static getSystemInfoColumns() { return ([{ columns: [ - { - Header: 'Machine', + { Header: 'Machine', id: 'machine', accessor: x => renderMachineFromSystemData(x.machine), - style: {'whiteSpace': 'unset'} - }, - {Header: 'Gathered info', id: 'info', accessor: x => renderUsageFields(x.collections), style: {'whiteSpace': 'unset'}} + style: {'whiteSpace': 'unset'}}, + { Header: 'Gathered info', + id: 'info', + accessor: x => renderUsageFields(x.collections), + style: {'whiteSpace': 'unset'}} ] }]) } From b5078f8ba093632c0d2894db11e1d96220c228d4 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Thu, 19 Mar 2020 16:21:13 +0200 Subject: [PATCH 3/3] Fixed network configuration attack technique --- .../monkey_island/cc/services/attack/technique_reports/T1016.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py index 9249020dc..885b738cb 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1016.py @@ -11,7 +11,7 @@ class T1016(AttackTechnique): scanned_msg = "" used_msg = "Monkey gathered network configurations on systems in the network." - query = [{'$match': {'telem_category': 'system_info'}}, + query = [{'$match': {'telem_category': 'system_info', 'data.network_info': {'$exists': True}}}, {'$project': {'machine': {'hostname': '$data.hostname', 'ips': '$data.network_info.networks'}, 'networks': '$data.network_info.networks', 'netstat': '$data.network_info.netstat'}},