From ff17237ea7e5c1d9d60d5738c55a2cf5b812c61a Mon Sep 17 00:00:00 2001 From: Shreya Malviya Date: Tue, 28 Jun 2022 15:48:19 -0700 Subject: [PATCH] Island: Remove old configuration schema's definitions --- .../credential_collector_classes.py | 25 ----- .../definitions/exploiter_classes.py | 105 ------------------ .../definitions/finger_classes.py | 48 -------- .../definitions/post_breach_actions.py | 105 ------------------ 4 files changed, 283 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/credential_collector_classes.py delete mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py delete mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py delete mode 100644 monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/credential_collector_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/credential_collector_classes.py deleted file mode 100644 index a16b8afac..000000000 --- a/monkey/monkey_island/cc/services/config_schema/definitions/credential_collector_classes.py +++ /dev/null @@ -1,25 +0,0 @@ -from common.common_consts.credential_collector_names import MIMIKATZ_COLLECTOR, SSH_COLLECTOR - -CREDENTIAL_COLLECTORS = { - "title": "Credential Collectors", - "description": "Click on a credential collector to find out what it collects.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": [MIMIKATZ_COLLECTOR], - "title": "Mimikatz Credentials Collector", - "safe": True, - "info": "Collects credentials from Windows credential manager.", - "attack_techniques": ["T1003", "T1005"], - }, - { - "type": "string", - "enum": [SSH_COLLECTOR], - "title": "SSH Credentials Collector", - "safe": True, - "info": "Searches users' home directories and collects SSH keypairs.", - "attack_techniques": ["T1005", "T1145"], - }, - ], -} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py deleted file mode 100644 index 2ecaa977b..000000000 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ /dev/null @@ -1,105 +0,0 @@ -from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN - -EXPLOITER_CLASSES = { - "title": "Exploiters", - "description": "Click on exploiter to get more information about it." - + WARNING_SIGN - + " Note that using unsafe exploits may cause crashes of the exploited " - "machine/service.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": ["SmbExploiter"], - "title": "SMB Exploiter", - "safe": True, - "attack_techniques": ["T1110", "T1075", "T1035"], - "info": "Brute forces using credentials provided by user and" - " hashes gathered by mimikatz.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference" - "/exploiters/smbexec/", - }, - { - "type": "string", - "enum": ["WmiExploiter"], - "title": "WMI Exploiter", - "safe": True, - "attack_techniques": ["T1110", "T1106"], - "info": "Brute forces WMI (Windows Management Instrumentation) " - "using credentials provided by user and hashes gathered by " - "mimikatz.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference" - "/exploiters/wmiexec/", - }, - { - "type": "string", - "enum": ["MSSQLExploiter"], - "title": "MSSQL Exploiter", - "safe": True, - "attack_techniques": ["T1110"], - "info": "Tries to brute force into MsSQL server and uses insecure " - "configuration to execute commands on server.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference" - "/exploiters/mssql/", - }, - { - "type": "string", - "enum": ["SSHExploiter"], - "title": "SSH Exploiter", - "safe": True, - "attack_techniques": ["T1110", "T1145", "T1106"], - "info": "Brute forces using credentials provided by user and SSH keys " - "gathered from systems.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference" - "/exploiters/sshexec/", - }, - { - "type": "string", - "enum": ["HadoopExploiter"], - "title": "Hadoop/Yarn Exploiter", - "safe": True, - "info": "Remote code execution on HADOOP server with YARN and default settings. " - "Logic based on " - "https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/hadoop/", - }, - { - "type": "string", - "enum": ["ZerologonExploiter"], - "title": "Zerologon Exploiter", - "safe": False, - "info": "Exploits a privilege escalation vulnerability (CVE-2020-1472) in a Windows " - "server domain controller (DC) by using the Netlogon Remote Protocol (MS-NRPC). " - "This exploiter changes the password of a Windows server DC account, steals " - "credentials, and then attempts to restore the original DC password. The victim DC " - "will be unable to communicate with other DCs until the original " - "password has been restored. If Infection Monkey fails to restore the " - "password automatically, you'll have to do it manually. For more " - "information, see the documentation.", - "link": "https://www.guardicore.com/infectionmonkey" - "/docs/reference/exploiters/zerologon/", - }, - { - "type": "string", - "enum": ["PowerShellExploiter"], - "title": "PowerShell Remoting Exploiter", - "info": "Exploits PowerShell remote execution setups. PowerShell Remoting uses Windows " - "Remote Management (WinRM) to allow users to run PowerShell commands on remote " - "computers.", - "safe": True, - "link": "https://www.guardicore.com/infectionmonkey" - "/docs/reference/exploiters/powershell", - }, - { - "type": "string", - "enum": ["Log4ShellExploiter"], - "title": "Log4Shell Exploiter", - "safe": True, - "info": "Exploits a software vulnerability (CVE-2021-44228) in Apache Log4j, a Java " - "logging framework. Exploitation is attempted on the following services — " - "Apache Solr, Apache Tomcat, Logstash.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference" - "/exploiters/log4shell/", - }, - ], -} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py deleted file mode 100644 index 1a983a899..000000000 --- a/monkey/monkey_island/cc/services/config_schema/definitions/finger_classes.py +++ /dev/null @@ -1,48 +0,0 @@ -FINGER_CLASSES = { - "title": "Fingerprinters", - "description": "Fingerprint modules collect info about external services " - "Infection Monkey scans.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": ["SMBFinger"], - "title": "SMB Fingerprinter", - "safe": True, - "info": "Figures out if SMB is running and what's the version of it.", - "attack_techniques": ["T1210"], - }, - { - "type": "string", - "enum": ["SSHFinger"], - "title": "SSH Fingerprinter", - "safe": True, - "info": "Figures out if SSH is running.", - "attack_techniques": ["T1210"], - }, - { - "type": "string", - "enum": ["HTTPFinger"], - "title": "HTTP Fingerprinter", - "safe": True, - "info": "Checks if host has HTTP/HTTPS ports open.", - }, - { - "type": "string", - "enum": ["MSSQLFinger"], - "title": "MSSQL Fingerprinter", - "safe": True, - "info": "Checks if Microsoft SQL service is running and tries to gather " - "information about it.", - "attack_techniques": ["T1210"], - }, - { - "type": "string", - "enum": ["ElasticFinger"], - "title": "Elastic Fingerprinter", - "safe": True, - "info": "Checks if ElasticSearch is running and attempts to find it's " "version.", - "attack_techniques": ["T1210"], - }, - ], -} diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py deleted file mode 100644 index d6831ed63..000000000 --- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py +++ /dev/null @@ -1,105 +0,0 @@ -POST_BREACH_ACTIONS = { - "title": "Post-Breach Actions", - "description": "Runs scripts/commands on infected machines. These actions safely simulate what " - "an adversary might do after breaching a new machine. Used in ATT&CK and Zero trust reports.", - "type": "string", - "anyOf": [ - { - "type": "string", - "enum": ["CommunicateAsBackdoorUser"], - "title": "Communicate as Backdoor User", - "safe": True, - "info": "Attempts to create a new user, create HTTPS requests as that " - "user and delete the user " - "afterwards.", - "attack_techniques": ["T1136"], - }, - { - "type": "string", - "enum": ["ModifyShellStartupFiles"], - "title": "Modify Shell Startup Files", - "safe": True, - "info": "Attempts to modify shell startup files, like ~/.profile, " - "~/.bashrc, ~/.bash_profile " - "in linux, and profile.ps1 in windows. Reverts modifications done" - " afterwards.", - "attack_techniques": ["T1156", "T1504"], - }, - { - "type": "string", - "enum": ["HiddenFiles"], - "title": "Hidden Files and Directories", - "safe": True, - "info": "Attempts to create a hidden file and remove it afterward.", - "attack_techniques": ["T1158"], - }, - { - "type": "string", - "enum": ["TrapCommand"], - "title": "Trap Command", - "safe": True, - "info": "On Linux systems, attempts to trap a terminate signal in order " - "to execute a command upon receiving that signal. Removes the trap afterwards.", - "attack_techniques": ["T1154"], - }, - { - "type": "string", - "enum": ["ChangeSetuidSetgid"], - "title": "Setuid and Setgid", - "safe": True, - "info": "On Linux systems, attempts to set the setuid and setgid bits of " - "a new file. " - "Removes the file afterwards.", - "attack_techniques": ["T1166"], - }, - { - "type": "string", - "enum": ["ScheduleJobs"], - "title": "Job Scheduling", - "safe": True, - "info": "Attempts to create a scheduled job on the system and remove it.", - "attack_techniques": ["T1168", "T1053"], - }, - { - "type": "string", - "enum": ["Timestomping"], - "title": "Timestomping", - "safe": True, - "info": "Creates a temporary file and attempts to modify its time " - "attributes. Removes the file afterwards.", - "attack_techniques": ["T1099"], - }, - { - "type": "string", - "enum": ["SignedScriptProxyExecution"], - "title": "Signed Script Proxy Execution", - "safe": False, - "info": "On Windows systems, attempts to execute an arbitrary file " - "with the help of a pre-existing signed script.", - "attack_techniques": ["T1216"], - }, - { - "type": "string", - "enum": ["AccountDiscovery"], - "title": "Account Discovery", - "safe": True, - "info": "Attempts to get a listing of user accounts on the system.", - "attack_techniques": ["T1087"], - }, - { - "type": "string", - "enum": ["ClearCommandHistory"], - "title": "Clear Command History", - "safe": False, - "info": "Attempts to clear the command history.", - "attack_techniques": ["T1146"], - }, - { - "type": "string", - "enum": ["ProcessListCollection"], - "title": "Process List Collector", - "safe": True, - "info": "Collects a list of running processes on the machine.", - }, - ], -}