69754205d0
Island: Add condition for leaving readme
2021-07-09 11:15:55 +02:00
253f2668d0
Island: Add hidden widget to encryption and readme in ransomware
2021-07-08 20:49:55 +02:00
fb50ba1e55
Agent: Remove unnecessary `if` from _find_files()
2021-07-08 12:52:05 -04:00
bb554d923d
Agent: Rename _valid_file_extensions... -> _targeted_file_extensions
2021-07-08 12:52:05 -04:00
24fdb9e299
Merge pull request #1307 from guardicore/ransomware-inject-copy-dependency
...
Ransomware README improvements
2021-07-08 12:50:32 -04:00
92c5c3b682
Agent: Extract method _copy_file() from _leave_readme()
...
Reworks the logic in _leave_readme() to reduce indenting and improve
clarity and extracts the logic to copy the file into _copy_readme_file()
2021-07-08 12:04:50 -04:00
7454ee72b2
Agent: Switch copy_file typehint from str to Path
2021-07-08 12:04:12 -04:00
064525e6b9
Agent: Don't try to create README.txt if one already exists
2021-07-08 11:59:50 -04:00
f0e9109f64
Agent: Inject copy_file callable into RansomwarePayload
...
In order to test certain conditions, our options are to either
monkeypatch shutil.copyfile(), or inject a callable into the
RansomwarePayload. Monkeypatching shutil.copyfile() could lead to
issues down the road. For example, if the implementation of
`_leave_readme()` is changed to no longer use copyfile(), a test that
asserts that copyfile() has not been called will pass, even though a
file may have been copied.
2021-07-08 11:23:15 -04:00
a95adfb5b6
island: Replace key ("stats" -> "propagation") in RansomwareReport data
2021-07-08 19:59:34 +05:30
38bead54ae
island: Extract methods (all static) in class RansomwareReportService and remove the class
2021-07-08 19:53:52 +05:30
27058cc827
island: Remove unnecessary code in RansomwareReportService
2021-07-08 19:49:08 +05:30
e1b08079f1
Merge pull request #1305 from guardicore/ransomware-skip-encryption-test-refactor
...
Island: Refactor test_encryption_skipped_if_no_directory()
2021-07-08 06:37:49 -04:00
d7ec2db477
island: Rename `get_exploitation_stats()` to `get_exploitation_details()`
2021-07-08 15:46:27 +05:30
79d042b471
island: Create RansomwareReportService and add `get_exploitation_stats()` to it
2021-07-08 15:44:43 +05:30
ecb20dc99a
Island: Refactor test_encryption_skipped_if_no_directory()
...
The old implementation tightly coupled the test to the specific
implementation of the ransomware payload. Since the ransomware payload
provides insight into its actions in the form of telemetry, it should be
sufficient to test whether or not any telemetries were sent in order to
determine whether or not encryption was skipped. This way, the test can
remain decoupled from the internal workings of the ransomware payload.
2021-07-07 19:14:45 -04:00
0db85ae407
Merge pull request #1300 from guardicore/expand-path-returns-path
...
Expand path returns path
2021-07-07 19:11:10 -04:00
ae7687243f
Island: Return Path object from expand_path()
2021-07-07 18:49:50 -04:00
8508a9f98f
Island: Remove unnecessary expand_path() call
2021-07-07 08:26:37 -04:00
9ed2145810
Merge pull request #1303 from guardicore/ransomeware_cwd_encryption_bugfix
...
Ransomeware bugfix: cwd encryption by default
2021-07-07 14:20:39 +03:00
726e180797
Add a log message explaining why ransomware target directory is set to none
2021-07-07 13:02:10 +03:00
d33fc26fe3
Add a UT to test if ransomware payload tries to encrypt files if "linux_target_dir" and "windows_target_dir" inputs are empty.
...
We have empty "linux_target_dir" and "windows_target_dir" by default so it's important that ransomware payload doesn't try to encrypt files by default, without users' knowledge.
2021-07-07 11:45:12 +03:00
d3beebf995
Change ransomware_payload.py to not encrypt files in CWD if no directory was specified
2021-07-07 11:41:42 +03:00
ca1712cdd6
Extract the logic of determining target directory for ransomware payload into a separate method
2021-07-07 11:40:56 +03:00
bd60bef35f
Change the expand_path method in file_utils.py to throw an error if an empty file path is provided instead of expanding it to current working directory
2021-07-07 11:23:10 +03:00
6282cd0de3
Add a UT to test if ransomware payload tries to encrypt files if "linux_target_dir" and "windows_target_dir" inputs are empty.
...
We have empty "linux_target_dir" and "windows_target_dir" by default so it's important that ransomware payload doesn't try to encrypt files by default, without users' knowledge.
2021-07-07 10:48:35 +03:00
5a77785164
Tests: Remove Path -> str implicit conversion warning
2021-07-06 11:56:25 -04:00
a512fd947a
Tests: Return Path object from patched_home_env() fixture
2021-07-06 11:31:12 -04:00
5ac574bd17
Tests: Fix failing expand_path() tests
2021-07-06 11:29:42 -04:00
8dd1aa25ac
Merge pull request #1292 from guardicore/ransomware_dir_fix
...
Ransomware: bugfix for directories
2021-07-06 11:25:13 -04:00
999399ae2d
Merge pull request #1291 from guardicore/ransomware-reporting-tab
...
Add ransomware report tab
2021-07-06 19:59:07 +05:30
53faf5a3db
tests: Rename test file to avoid "import name mismatch" error by pytest
2021-07-06 19:58:24 +05:30
c802914cf6
tests: Update tests according to previous changes with `expand_path()`
2021-07-06 19:46:08 +05:30
96c3a2ed12
agent, island: Replace import path for `expand_path()` everywhere
2021-07-06 19:45:08 +05:30
6622fc0ff5
Island: Do not set state from props in RansomwareReport
2021-07-06 10:10:33 -04:00
d0a94e6223
agent, common, island: Move file util `expand_path` to `common/`
2021-07-06 19:40:10 +05:30
b1ab2525fd
Merge pull request #1288 from guardicore/ransomware-target-dir-validators
...
Validate ransomware target directories
2021-07-06 09:50:47 -04:00
ded6ce0cd0
agent: Use `expand_path()` instead of `os.path` functions in ransomware payload
2021-07-06 19:18:52 +05:30
4bec9576aa
Island: Remove extra + from windows environment variable regex
2021-07-06 09:38:32 -04:00
638db3d7e0
Island: Escape '-' character in environment variable regex
...
Co-authored-by: Shreya Malviya <shreya.malviya@gmail.com>
2021-07-06 09:38:32 -04:00
d2dda4519f
Island: Allow Windows ransomware target paths to be UNC paths
2021-07-06 09:38:32 -04:00
9d4ee88e09
Island: Do not allow Windows ransomware target paths beginning with "$"
...
As far as I can tell, environment variables in Windows look like %NAME%.
Variables in powershell begin with $, but file explorer doesn't
recognize paths beginning with $ as valid.
2021-07-06 09:38:32 -04:00
df6082b50a
Island: Refactor linux/windows ransomware path regexes
...
Refactored because the escape characters were cumbersome and difficult
to read when regexes were defined as strings. Also allow special
characters in Windows environment variable names as per
https://ss64.com/nt/syntax-variables.html
2021-07-06 09:38:32 -04:00
dc305d8e16
cc: Add validation format (starts wih `~`) for ransomware linux target directory
2021-07-06 09:38:32 -04:00
f8a062876c
agent: Create `file_utils.py` and add `expand_path()` to it
2021-07-06 19:07:53 +05:30
e91d7a6282
agent: Change type hint for FileEncryption's `__init__()`'s `filepath`
2021-07-06 19:04:55 +05:30
b17b85d7e7
Merge pull request #1299 from guardicore/delimiter-windows-certificate
...
island: Add delimiter to windows create_certificate
2021-07-06 09:23:30 -04:00
0fd88b8097
Merge pull request #1297 from guardicore/ransomware-report-api-endpoint
2021-07-06 09:22:11 -04:00
832704dd1c
Merge pull request #1298 from guardicore/gevent-ssl-traceback
...
Gevent ssl traceback
2021-07-06 09:19:44 -04:00
96fc33025e
Island: Redirect gevent tracebacks to file and log exceptions
...
By default, gevent prints exceptions and tracebacks to stderr. This is
obnoxious as it results in large tracebacks intermixed with the output
that the logger prints to the console. This commit redirects this data
to {DATA_DIR}/gevent_exceptions.log. Unfortunately, this would mean that
the user might be left without any indication these exceptions had
occurred, unless they take the time to inspect the
gevent_exceptions.log. Therefore, when an excepion occurs, a message
with just the exception (not the traceback) is logged to WARNING.
Fixes #859
2021-07-06 08:39:30 -04:00
Ilija Lazoroski
Mike Salvatore
Shreya
VakarisZ
VakarisZ