forked from p15670423/monkey
117 lines
7.9 KiB
Plaintext
117 lines
7.9 KiB
Plaintext
{
|
|
"id": "tbxb2cGgUiJQ8Btma0fp",
|
|
"name": "Add a simple Post Breach action",
|
|
"dod": "You should add a new PBA to the Monkey which creates a new user on the machine.",
|
|
"description": "Read [our documentation about adding a new PBA](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/).\n\nAfter that we want you to add the BackdoorUser PBA. The commands that add users for Win and Linux can be retrieved from `get_commands_to_add_user` - make sure you see how to use this function correctly. \n\nNote that the PBA should impact the T1136 MITRE technique as well! \n\n# Manual test to confirm\n\n1. Run the Monkey Island\n2. Make sure your new PBA is enabled by default in the config - for this test, disable network scanning, exploiting, and all other PBAs\n3. Run Monkey\n4. See the PBA in the security report\n5, See the PBA in the MITRE report in the relevant technique\n",
|
|
"summary": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... ",
|
|
"tests": [],
|
|
"hints": [
|
|
"See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands",
|
|
"Make sure to add the PBA to the configuration as well."
|
|
],
|
|
"swimmPatch": {
|
|
"monkey/common/common_consts/post_breach_consts.py": {
|
|
"diffType": "MODIFIED",
|
|
"fileDiffHeader": "diff --git a/monkey/common/common_consts/post_breach_consts.py b/monkey/common/common_consts/post_breach_consts.py\nindex 25e6679c..5198f006 100644\n--- a/monkey/common/common_consts/post_breach_consts.py\n+++ b/monkey/common/common_consts/post_breach_consts.py",
|
|
"hunks": [
|
|
{
|
|
"swimmHunkMetadata": {},
|
|
"hunkDiffLines": [
|
|
"@@ -1,5 +1,4 @@",
|
|
" POST_BREACH_COMMUNICATE_AS_NEW_USER = \"Communicate as new user\"",
|
|
"-POST_BREACH_BACKDOOR_USER = \"Backdoor user\"",
|
|
" POST_BREACH_FILE_EXECUTION = \"File execution\"",
|
|
" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = \"Modify shell startup file\"",
|
|
" POST_BREACH_HIDDEN_FILES = \"Hide files and directories\""
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"monkey/infection_monkey/post_breach/actions/add_user.py": {
|
|
"diffType": "MODIFIED",
|
|
"fileDiffHeader": "diff --git a/monkey/infection_monkey/post_breach/actions/add_user.py b/monkey/infection_monkey/post_breach/actions/add_user.py\nindex a8584584..d8476a97 100644\n--- a/monkey/infection_monkey/post_breach/actions/add_user.py\n+++ b/monkey/infection_monkey/post_breach/actions/add_user.py",
|
|
"hunks": [
|
|
{
|
|
"swimmHunkMetadata": {},
|
|
"hunkDiffLines": [
|
|
"@@ -1,15 +1,7 @@",
|
|
"-from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
|
|
"-from infection_monkey.config import WormConfiguration",
|
|
" from infection_monkey.post_breach.pba import PBA",
|
|
" from infection_monkey.utils.users import get_commands_to_add_user",
|
|
" ",
|
|
" ",
|
|
" class BackdoorUser(PBA):",
|
|
" def __init__(self):",
|
|
"- linux_cmds, windows_cmds = get_commands_to_add_user(",
|
|
"+ pass # Swimmer: Impl here!",
|
|
"- WormConfiguration.user_to_add,",
|
|
"- WormConfiguration.remote_user_pass)",
|
|
"- super(BackdoorUser, self).__init__(",
|
|
"- POST_BREACH_BACKDOOR_USER,",
|
|
"- linux_cmd=' '.join(linux_cmds),",
|
|
"- windows_cmd=windows_cmds)"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": {
|
|
"diffType": "MODIFIED",
|
|
"fileDiffHeader": "diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py\nindex d9d86e08..0abe6a02 100644\n--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py\n+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
|
|
"hunks": [
|
|
{
|
|
"swimmHunkMetadata": {},
|
|
"hunkDiffLines": [
|
|
"@@ -1,4 +1,4 @@",
|
|
"-from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER",
|
|
"+from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER",
|
|
" from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique",
|
|
" ",
|
|
" __author__ = \"shreyamalviya\""
|
|
]
|
|
},
|
|
{
|
|
"swimmHunkMetadata": {},
|
|
"hunkDiffLines": [
|
|
"@@ -9,4 +9,4 @@",
|
|
" unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"",
|
|
" scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"",
|
|
" used_msg = \"Monkey created a new user on the network's systems.\"",
|
|
"- pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]",
|
|
"+ pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": {
|
|
"diffType": "MODIFIED",
|
|
"fileDiffHeader": "diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py\nindex f1fe0f6f..39ebd33a 100644\n--- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py\n+++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
|
|
"hunks": [
|
|
{
|
|
"swimmHunkMetadata": {},
|
|
"hunkDiffLines": [
|
|
"@@ -4,15 +4,7 @@",
|
|
" \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",",
|
|
" \"type\": \"string\",",
|
|
" \"anyOf\": [",
|
|
"- {",
|
|
"+ # Swimmer: Add new PBA here to config!",
|
|
"- \"type\": \"string\",",
|
|
"- \"enum\": [",
|
|
"- \"BackdoorUser\"",
|
|
"- ],",
|
|
"- \"title\": \"Back door user\",",
|
|
"- \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",",
|
|
"- \"attack_techniques\": [\"T1136\"]",
|
|
"- },",
|
|
" {",
|
|
" \"type\": \"string\",",
|
|
" \"enum\": ["
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"app_version": "0.2.1",
|
|
"file_version": "1.0.3"
|
|
} |