From 10697934d6bde1fad9548171fb7382cee4c80022 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Mon, 30 Aug 2021 12:44:13 +0200 Subject: [PATCH] Rename Communicate as new user to Communicate as backdoor user --- CHANGELOG.md | 2 ++ .../development/adding-post-breach-actions.md | 6 +++--- monkey/common/common_consts/post_breach_consts.py | 2 +- monkey/common/common_consts/zero_trust_consts.py | 6 +++--- ...s_new_user.py => communicate_as_backdoor_user.py} | 12 +++++++----- .../cc/services/attack/technique_reports/T1136.py | 4 ++-- .../attack/technique_reports/pba_technique.py | 2 +- .../config_schema/definitions/post_breach_actions.py | 4 ++-- .../cc/services/config_schema/monkey.py | 2 +- .../cc/services/telemetry/processing/post_breach.py | 8 ++++---- ...s_new_user.py => communicate_as_backdoor_user.py} | 8 ++++---- .../monkey_configs/monkey_config_standard.json | 2 +- .../test_monkey_zt_finding_service.py | 6 +++--- 13 files changed, 34 insertions(+), 30 deletions(-) rename monkey/infection_monkey/post_breach/actions/{communicate_as_new_user.py => communicate_as_backdoor_user.py} (91%) rename monkey/monkey_island/cc/services/telemetry/zero_trust_checks/{communicate_as_new_user.py => communicate_as_backdoor_user.py} (88%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c6965c8e..37f0fec5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -70,10 +70,12 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - Improve runtime of some unit tests. #1125 - Run curl OR wget (not both) when attempting to communicate as a new user on Linux. #1407 +- Renamed Communicate as new user to Communicate as backdoor user. #1433 ### Removed - Relevant dead code as reported by Vulture. #1149 - Island logger config and --logger-config CLI option. #1151 +- Backdoor user post breach action. #1433 ### Fixed - Attempt to delete a directory when monkey config reset was called. #1054 diff --git a/docs/content/development/adding-post-breach-actions.md b/docs/content/development/adding-post-breach-actions.md index 659bb9473..91a5ad888 100644 --- a/docs/content/development/adding-post-breach-actions.md +++ b/docs/content/development/adding-post-breach-actions.md @@ -39,9 +39,9 @@ class MyNewPba(PBA): #### Implementation -If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `add_user.py` PBA for reference. +If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `account_discovery.py` PBA for reference. -Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well. +Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_backdoor_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well. ### Modify the Monkey Island @@ -73,4 +73,4 @@ Now you can choose your PBA when configuring the Infection Monkey on the Monkey #### Telemetry processing -If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example. +If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_backdoor_user_telemetry` method as an example. diff --git a/monkey/common/common_consts/post_breach_consts.py b/monkey/common/common_consts/post_breach_consts.py index 5198f0068..01d314482 100644 --- a/monkey/common/common_consts/post_breach_consts.py +++ b/monkey/common/common_consts/post_breach_consts.py @@ -1,4 +1,4 @@ -POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user" +POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER = "Communicate as backdoor user" POST_BREACH_FILE_EXECUTION = "File execution" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file" POST_BREACH_HIDDEN_FILES = "Hide files and directories" diff --git a/monkey/common/common_consts/zero_trust_consts.py b/monkey/common/common_consts/zero_trust_consts.py index 6df648e00..245884e4a 100644 --- a/monkey/common/common_consts/zero_trust_consts.py +++ b/monkey/common/common_consts/zero_trust_consts.py @@ -40,7 +40,7 @@ TEST_SCHEDULED_EXECUTION = "scheduled_execution" TEST_MALICIOUS_ACTIVITY_TIMELINE = "malicious_activity_timeline" TEST_SEGMENTATION = "segmentation" TEST_TUNNELING = "tunneling" -TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user" +TEST_COMMUNICATE_AS_BACKDOOR_USER = "communicate_as_backdoor_user" TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules" TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data" TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention" @@ -58,7 +58,7 @@ TESTS = ( TEST_DATA_ENDPOINT_HTTP, TEST_DATA_ENDPOINT_ELASTIC, TEST_TUNNELING, - TEST_COMMUNICATE_AS_NEW_USER, + TEST_COMMUNICATE_AS_BACKDOOR_USER, TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES, TEST_SCOUTSUITE_UNENCRYPTED_DATA, TEST_SCOUTSUITE_DATA_LOSS_PREVENTION, @@ -206,7 +206,7 @@ TESTS_MAP = { PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED], }, - TEST_COMMUNICATE_AS_NEW_USER: { + TEST_COMMUNICATE_AS_BACKDOOR_USER: { TEST_EXPLANATION_KEY: "The Monkey tried to create a new user and communicate " "with the internet from it.", FINDING_EXPLANATION_BY_STATUS_KEY: { diff --git a/monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py similarity index 91% rename from monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py rename to monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py index 79747a5bf..af46bc03b 100644 --- a/monkey/infection_monkey/post_breach/actions/communicate_as_new_user.py +++ b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py @@ -4,7 +4,7 @@ import shutil import string import subprocess -from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER +from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER from infection_monkey.post_breach.pba import PBA from infection_monkey.telemetry.post_breach_telem import PostBreachTelem from infection_monkey.utils.auto_new_user_factory import create_auto_new_user @@ -26,7 +26,7 @@ USERNAME_PREFIX = "somenewuser" logger = logging.getLogger(__name__) -class CommunicateAsNewUser(PBA): +class CommunicateAsBackdoorUser(PBA): """ This PBA creates a new user, and then creates HTTPS requests as that user. This is used for a Zero Trust test of the People pillar. See the relevant telemetry processing to see what findings @@ -34,14 +34,16 @@ class CommunicateAsNewUser(PBA): """ def __init__(self): - super(CommunicateAsNewUser, self).__init__(name=POST_BREACH_COMMUNICATE_AS_NEW_USER) + super(CommunicateAsBackdoorUser, self).__init__( + name=POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER + ) def run(self): - username = CommunicateAsNewUser.get_random_new_user_name() + username = CommunicateAsBackdoorUser.get_random_new_user_name() try: password = get_random_password() with create_auto_new_user(username, password) as new_user: - http_request_commandline = CommunicateAsNewUser.get_commandline_for_http_request( + http_request_commandline = CommunicateAsBackdoorUser.get_commandline_for_http_request( INFECTION_MONKEY_WEBSITE_URL ) exit_status = new_user.run_as(http_request_commandline) diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py index 9280200de..d2be05a9b 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py @@ -1,4 +1,4 @@ -from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER +from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique @@ -7,4 +7,4 @@ class T1136(PostBreachTechnique): unscanned_msg = "Monkey didn't try creating a new user on the network's systems." scanned_msg = "Monkey tried creating a new user on the network's systems, but failed." used_msg = "Monkey created a new user on the network's systems." - pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER] + pba_names = [POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER] diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py index 8a09027db..9e7324917 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py @@ -22,7 +22,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta): """ :param post_breach_action_names: Names of post-breach actions with which the technique is associated - (example - `["Communicate as new user"]` for T1136) + (example - `["Communicate as backdoor user"]` for T1136) :return: Mongo query that parses attack telemetries for a simple report component (gets machines and post-breach action usage). """ diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py index a77a95709..88a3e8cb5 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py @@ -7,8 +7,8 @@ POST_BREACH_ACTIONS = { "anyOf": [ { "type": "string", - "enum": ["CommunicateAsNewUser"], - "title": "Communicate as new user", + "enum": ["CommunicateAsBackdoorUser"], + "title": "Communicate as backdoor user", "safe": True, "info": "Attempts to create a new user, create HTTPS requests as that " "user and delete the user " diff --git a/monkey/monkey_island/cc/services/config_schema/monkey.py b/monkey/monkey_island/cc/services/config_schema/monkey.py index 4bff861c1..da06123a9 100644 --- a/monkey/monkey_island/cc/services/config_schema/monkey.py +++ b/monkey/monkey_island/cc/services/config_schema/monkey.py @@ -67,7 +67,7 @@ MONKEY = { "uniqueItems": True, "items": {"$ref": "#/definitions/post_breach_actions"}, "default": [ - "CommunicateAsNewUser", + "CommunicateAsBackdoorUser", "ModifyShellStartupFiles", "HiddenFiles", "TrapCommand", diff --git a/monkey/monkey_island/cc/services/telemetry/processing/post_breach.py b/monkey/monkey_island/cc/services/telemetry/processing/post_breach.py index be7b6e7ea..5506ff54d 100644 --- a/monkey/monkey_island/cc/services/telemetry/processing/post_breach.py +++ b/monkey/monkey_island/cc/services/telemetry/processing/post_breach.py @@ -1,16 +1,16 @@ import copy -from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER +from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER from monkey_island.cc.database import mongo from monkey_island.cc.models import Monkey -from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_new_user import ( +from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_backdoor_user import ( check_new_user_communication, ) EXECUTION_WITHOUT_OUTPUT = "(PBA execution produced no output)" -def process_communicate_as_new_user_telemetry(telemetry_json): +def process_communicate_as_backdoor_user_telemetry(telemetry_json): current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json["monkey_guid"]) message = telemetry_json["data"]["result"][0] success = telemetry_json["data"]["result"][1] @@ -18,7 +18,7 @@ def process_communicate_as_new_user_telemetry(telemetry_json): POST_BREACH_TELEMETRY_PROCESSING_FUNCS = { - POST_BREACH_COMMUNICATE_AS_NEW_USER: process_communicate_as_new_user_telemetry, + POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER: process_communicate_as_backdoor_user_telemetry, } diff --git a/monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_new_user.py b/monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_backdoor_user.py similarity index 88% rename from monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_new_user.py rename to monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_backdoor_user.py index 6a3ec30aa..e3fc088fd 100644 --- a/monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_new_user.py +++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_backdoor_user.py @@ -4,7 +4,7 @@ from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_serv MonkeyZTFindingService, ) -COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as new user. Details: {}" +COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as backdoor user. Details: {}" COMM_AS_NEW_USER_SUCCEEDED_FORMAT = ( "New user created by Monkey on {} successfully tried to " "communicate with the internet. Details: {}" @@ -14,7 +14,7 @@ COMM_AS_NEW_USER_SUCCEEDED_FORMAT = ( def check_new_user_communication(current_monkey, success, message): status = zero_trust_consts.STATUS_FAILED if success else zero_trust_consts.STATUS_PASSED MonkeyZTFindingService.create_or_add_to_existing( - test=zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER, + test=zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER, status=status, events=[ get_attempt_event(current_monkey), @@ -25,7 +25,7 @@ def check_new_user_communication(current_monkey, success, message): def get_attempt_event(current_monkey): tried_to_communicate_event = Event.create_event( - title="Communicate as new user", + title="Communicate as backdoor user", message="Monkey on {} tried to create a new user and communicate from it.".format( current_monkey.hostname ), @@ -40,7 +40,7 @@ def get_result_event(current_monkey, message, success): ) return Event.create_event( - title="Communicate as new user", + title="Communicate as backdoor user", message=message_format.format(current_monkey.hostname, message), event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK, ) diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index b34a76feb..70176d94a 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -175,7 +175,7 @@ "PBA_windows_filename": "", "PBA_linux_filename": "", "post_breach_actions": [ - "CommunicateAsNewUser", + "CommunicateAsBackdoorUser", "ModifyShellStartupFiles", "HiddenFiles", "TrapCommand", diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/monkey_findings/test_monkey_zt_finding_service.py b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/monkey_findings/test_monkey_zt_finding_service.py index 6248be02c..638837264 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/monkey_findings/test_monkey_zt_finding_service.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/monkey_findings/test_monkey_zt_finding_service.py @@ -18,8 +18,8 @@ EVENTS = [ timestamp=datetime.strptime("2021-01-19 12:07:17.802138", "%Y-%m-%d %H:%M:%S.%f"), ), Event.create_event( - title="Communicate as new user", - message="Monkey on gc-pc-244 couldn't communicate as new user. " + title="Communicate as backdoor user", + message="Monkey on gc-pc-244 couldn't communicate as backdoor user. " "Details: System error 5 has occurred. Access is denied.", event_type="monkey_network", timestamp=datetime.strptime("2021-01-19 12:22:42.246020", "%Y-%m-%d %H:%M:%S.%f"), @@ -28,7 +28,7 @@ EVENTS = [ TESTS = [ zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS, - zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER, + zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER, ] STATUS = [