forked from p15670423/monkey
Island: Remove old configuration schema's definitions
This commit is contained in:
parent
568a10e2f9
commit
ff17237ea7
|
@ -1,25 +0,0 @@
|
||||||
from common.common_consts.credential_collector_names import MIMIKATZ_COLLECTOR, SSH_COLLECTOR
|
|
||||||
|
|
||||||
CREDENTIAL_COLLECTORS = {
|
|
||||||
"title": "Credential Collectors",
|
|
||||||
"description": "Click on a credential collector to find out what it collects.",
|
|
||||||
"type": "string",
|
|
||||||
"anyOf": [
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": [MIMIKATZ_COLLECTOR],
|
|
||||||
"title": "Mimikatz Credentials Collector",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Collects credentials from Windows credential manager.",
|
|
||||||
"attack_techniques": ["T1003", "T1005"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": [SSH_COLLECTOR],
|
|
||||||
"title": "SSH Credentials Collector",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Searches users' home directories and collects SSH keypairs.",
|
|
||||||
"attack_techniques": ["T1005", "T1145"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
}
|
|
|
@ -1,105 +0,0 @@
|
||||||
from monkey_island.cc.services.utils.typographic_symbols import WARNING_SIGN
|
|
||||||
|
|
||||||
EXPLOITER_CLASSES = {
|
|
||||||
"title": "Exploiters",
|
|
||||||
"description": "Click on exploiter to get more information about it."
|
|
||||||
+ WARNING_SIGN
|
|
||||||
+ " Note that using unsafe exploits may cause crashes of the exploited "
|
|
||||||
"machine/service.",
|
|
||||||
"type": "string",
|
|
||||||
"anyOf": [
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["SmbExploiter"],
|
|
||||||
"title": "SMB Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"attack_techniques": ["T1110", "T1075", "T1035"],
|
|
||||||
"info": "Brute forces using credentials provided by user and"
|
|
||||||
" hashes gathered by mimikatz.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
|
||||||
"/exploiters/smbexec/",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["WmiExploiter"],
|
|
||||||
"title": "WMI Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"attack_techniques": ["T1110", "T1106"],
|
|
||||||
"info": "Brute forces WMI (Windows Management Instrumentation) "
|
|
||||||
"using credentials provided by user and hashes gathered by "
|
|
||||||
"mimikatz.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
|
||||||
"/exploiters/wmiexec/",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["MSSQLExploiter"],
|
|
||||||
"title": "MSSQL Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"attack_techniques": ["T1110"],
|
|
||||||
"info": "Tries to brute force into MsSQL server and uses insecure "
|
|
||||||
"configuration to execute commands on server.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
|
||||||
"/exploiters/mssql/",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["SSHExploiter"],
|
|
||||||
"title": "SSH Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"attack_techniques": ["T1110", "T1145", "T1106"],
|
|
||||||
"info": "Brute forces using credentials provided by user and SSH keys "
|
|
||||||
"gathered from systems.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
|
||||||
"/exploiters/sshexec/",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["HadoopExploiter"],
|
|
||||||
"title": "Hadoop/Yarn Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Remote code execution on HADOOP server with YARN and default settings. "
|
|
||||||
"Logic based on "
|
|
||||||
"https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/hadoop/",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ZerologonExploiter"],
|
|
||||||
"title": "Zerologon Exploiter",
|
|
||||||
"safe": False,
|
|
||||||
"info": "Exploits a privilege escalation vulnerability (CVE-2020-1472) in a Windows "
|
|
||||||
"server domain controller (DC) by using the Netlogon Remote Protocol (MS-NRPC). "
|
|
||||||
"This exploiter changes the password of a Windows server DC account, steals "
|
|
||||||
"credentials, and then attempts to restore the original DC password. The victim DC "
|
|
||||||
"will be unable to communicate with other DCs until the original "
|
|
||||||
"password has been restored. If Infection Monkey fails to restore the "
|
|
||||||
"password automatically, you'll have to do it manually. For more "
|
|
||||||
"information, see the documentation.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey"
|
|
||||||
"/docs/reference/exploiters/zerologon/",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["PowerShellExploiter"],
|
|
||||||
"title": "PowerShell Remoting Exploiter",
|
|
||||||
"info": "Exploits PowerShell remote execution setups. PowerShell Remoting uses Windows "
|
|
||||||
"Remote Management (WinRM) to allow users to run PowerShell commands on remote "
|
|
||||||
"computers.",
|
|
||||||
"safe": True,
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey"
|
|
||||||
"/docs/reference/exploiters/powershell",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["Log4ShellExploiter"],
|
|
||||||
"title": "Log4Shell Exploiter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Exploits a software vulnerability (CVE-2021-44228) in Apache Log4j, a Java "
|
|
||||||
"logging framework. Exploitation is attempted on the following services — "
|
|
||||||
"Apache Solr, Apache Tomcat, Logstash.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
|
||||||
"/exploiters/log4shell/",
|
|
||||||
},
|
|
||||||
],
|
|
||||||
}
|
|
|
@ -1,48 +0,0 @@
|
||||||
FINGER_CLASSES = {
|
|
||||||
"title": "Fingerprinters",
|
|
||||||
"description": "Fingerprint modules collect info about external services "
|
|
||||||
"Infection Monkey scans.",
|
|
||||||
"type": "string",
|
|
||||||
"anyOf": [
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["SMBFinger"],
|
|
||||||
"title": "SMB Fingerprinter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Figures out if SMB is running and what's the version of it.",
|
|
||||||
"attack_techniques": ["T1210"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["SSHFinger"],
|
|
||||||
"title": "SSH Fingerprinter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Figures out if SSH is running.",
|
|
||||||
"attack_techniques": ["T1210"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["HTTPFinger"],
|
|
||||||
"title": "HTTP Fingerprinter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Checks if host has HTTP/HTTPS ports open.",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["MSSQLFinger"],
|
|
||||||
"title": "MSSQL Fingerprinter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Checks if Microsoft SQL service is running and tries to gather "
|
|
||||||
"information about it.",
|
|
||||||
"attack_techniques": ["T1210"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ElasticFinger"],
|
|
||||||
"title": "Elastic Fingerprinter",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Checks if ElasticSearch is running and attempts to find it's " "version.",
|
|
||||||
"attack_techniques": ["T1210"],
|
|
||||||
},
|
|
||||||
],
|
|
||||||
}
|
|
|
@ -1,105 +0,0 @@
|
||||||
POST_BREACH_ACTIONS = {
|
|
||||||
"title": "Post-Breach Actions",
|
|
||||||
"description": "Runs scripts/commands on infected machines. These actions safely simulate what "
|
|
||||||
"an adversary might do after breaching a new machine. Used in ATT&CK and Zero trust reports.",
|
|
||||||
"type": "string",
|
|
||||||
"anyOf": [
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["CommunicateAsBackdoorUser"],
|
|
||||||
"title": "Communicate as Backdoor User",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Attempts to create a new user, create HTTPS requests as that "
|
|
||||||
"user and delete the user "
|
|
||||||
"afterwards.",
|
|
||||||
"attack_techniques": ["T1136"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ModifyShellStartupFiles"],
|
|
||||||
"title": "Modify Shell Startup Files",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Attempts to modify shell startup files, like ~/.profile, "
|
|
||||||
"~/.bashrc, ~/.bash_profile "
|
|
||||||
"in linux, and profile.ps1 in windows. Reverts modifications done"
|
|
||||||
" afterwards.",
|
|
||||||
"attack_techniques": ["T1156", "T1504"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["HiddenFiles"],
|
|
||||||
"title": "Hidden Files and Directories",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Attempts to create a hidden file and remove it afterward.",
|
|
||||||
"attack_techniques": ["T1158"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["TrapCommand"],
|
|
||||||
"title": "Trap Command",
|
|
||||||
"safe": True,
|
|
||||||
"info": "On Linux systems, attempts to trap a terminate signal in order "
|
|
||||||
"to execute a command upon receiving that signal. Removes the trap afterwards.",
|
|
||||||
"attack_techniques": ["T1154"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ChangeSetuidSetgid"],
|
|
||||||
"title": "Setuid and Setgid",
|
|
||||||
"safe": True,
|
|
||||||
"info": "On Linux systems, attempts to set the setuid and setgid bits of "
|
|
||||||
"a new file. "
|
|
||||||
"Removes the file afterwards.",
|
|
||||||
"attack_techniques": ["T1166"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ScheduleJobs"],
|
|
||||||
"title": "Job Scheduling",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Attempts to create a scheduled job on the system and remove it.",
|
|
||||||
"attack_techniques": ["T1168", "T1053"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["Timestomping"],
|
|
||||||
"title": "Timestomping",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Creates a temporary file and attempts to modify its time "
|
|
||||||
"attributes. Removes the file afterwards.",
|
|
||||||
"attack_techniques": ["T1099"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["SignedScriptProxyExecution"],
|
|
||||||
"title": "Signed Script Proxy Execution",
|
|
||||||
"safe": False,
|
|
||||||
"info": "On Windows systems, attempts to execute an arbitrary file "
|
|
||||||
"with the help of a pre-existing signed script.",
|
|
||||||
"attack_techniques": ["T1216"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["AccountDiscovery"],
|
|
||||||
"title": "Account Discovery",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Attempts to get a listing of user accounts on the system.",
|
|
||||||
"attack_techniques": ["T1087"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ClearCommandHistory"],
|
|
||||||
"title": "Clear Command History",
|
|
||||||
"safe": False,
|
|
||||||
"info": "Attempts to clear the command history.",
|
|
||||||
"attack_techniques": ["T1146"],
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["ProcessListCollection"],
|
|
||||||
"title": "Process List Collector",
|
|
||||||
"safe": True,
|
|
||||||
"info": "Collects a list of running processes on the machine.",
|
|
||||||
},
|
|
||||||
],
|
|
||||||
}
|
|
Loading…
Reference in New Issue