Merge branch '2269-add-attack-technique-tags' into develop

PR #2394
This commit is contained in:
Mike Salvatore 2022-10-05 08:25:51 -04:00
commit 73a8c14397
7 changed files with 66 additions and 26 deletions

View File

@ -0,0 +1,13 @@
from .attack import (
T1003_ATTACK_TECHNIQUE_TAG,
T1005_ATTACK_TECHNIQUE_TAG,
T1021_ATTACK_TECHNIQUE_TAG,
T1098_ATTACK_TECHNIQUE_TAG,
T1105_ATTACK_TECHNIQUE_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
T1145_ATTACK_TECHNIQUE_TAG,
T1203_ATTACK_TECHNIQUE_TAG,
T1210_ATTACK_TECHNIQUE_TAG,
T1222_ATTACK_TECHNIQUE_TAG,
T1570_ATTACK_TECHNIQUE_TAG,
)

View File

@ -0,0 +1,11 @@
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021"
T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105"
T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110"
T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
T1203_ATTACK_TECHNIQUE_TAG = "attack-t1203"
T1210_ATTACK_TECHNIQUE_TAG = "attack-t1210"
T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222"
T1570_ATTACK_TECHNIQUE_TAG = "attack-t1570"

View File

@ -4,6 +4,7 @@ from typing import Sequence
from common.agent_events import CredentialsStolenEvent
from common.credentials import Credentials, LMHash, NTHash, Password, Username
from common.event_queue import IAgentEventQueue
from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1005_ATTACK_TECHNIQUE_TAG
from infection_monkey.i_puppet import ICredentialCollector
from infection_monkey.model import USERNAME_PREFIX
from infection_monkey.utils.ids import get_agent_id
@ -15,8 +16,6 @@ logger = logging.getLogger(__name__)
MIMIKATZ_CREDENTIAL_COLLECTOR_TAG = "mimikatz-credentials-collector"
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
MIMIKATZ_EVENT_TAGS = frozenset(
(
@ -28,8 +27,8 @@ MIMIKATZ_EVENT_TAGS = frozenset(
class MimikatzCredentialCollector(ICredentialCollector):
def __init__(self, event_queue: IAgentEventQueue):
self._event_queue = event_queue
def __init__(self, agent_event_queue: IAgentEventQueue):
self._agent_event_queue = agent_event_queue
def collect_credentials(self, options=None) -> Sequence[Credentials]:
logger.info("Attempting to collect windows credentials with pypykatz.")
@ -82,4 +81,4 @@ class MimikatzCredentialCollector(ICredentialCollector):
stolen_credentials=collected_credentials,
)
self._event_queue.publish(credentials_stolen_event)
self._agent_event_queue.publish(credentials_stolen_event)

View File

@ -15,13 +15,15 @@ class SSHCredentialCollector(ICredentialCollector):
SSH keys credential collector
"""
def __init__(self, telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue):
def __init__(
self, telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
):
self._telemetry_messenger = telemetry_messenger
self._event_queue = event_queue
self._agent_event_queue = agent_event_queue
def collect_credentials(self, _options=None) -> Sequence[Credentials]:
logger.info("Started scanning for SSH credentials")
ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._event_queue)
ssh_info = ssh_handler.get_ssh_info(self._telemetry_messenger, self._agent_event_queue)
logger.info("Finished scanning for SSH credentials")
return ssh_handler.to_credentials(ssh_info)

View File

@ -6,6 +6,11 @@ from typing import Dict, Iterable, Sequence
from common.agent_events import CredentialsStolenEvent
from common.credentials import Credentials, SSHKeypair, Username
from common.event_queue import IAgentEventQueue
from common.tags import (
T1003_ATTACK_TECHNIQUE_TAG,
T1005_ATTACK_TECHNIQUE_TAG,
T1145_ATTACK_TECHNIQUE_TAG,
)
from common.utils.attack_utils import ScanStatus
from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
from infection_monkey.telemetry.attack.t1145_telem import T1145Telem
@ -17,9 +22,6 @@ logger = logging.getLogger(__name__)
DEFAULT_DIRS = ["/.ssh/", "/"]
SSH_CREDENTIAL_COLLECTOR_TAG = "ssh-credentials-collector"
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1005_ATTACK_TECHNIQUE_TAG = "attack-t1005"
T1145_ATTACK_TECHNIQUE_TAG = "attack-t1145"
SSH_COLLECTOR_EVENT_TAGS = frozenset(
(
@ -32,7 +34,7 @@ SSH_COLLECTOR_EVENT_TAGS = frozenset(
def get_ssh_info(
telemetry_messenger: ITelemetryMessenger, event_queue: IAgentEventQueue
telemetry_messenger: ITelemetryMessenger, agent_event_queue: IAgentEventQueue
) -> Iterable[Dict]:
# TODO: Remove this check when this is turned into a plugin.
if is_windows_os():
@ -42,7 +44,7 @@ def get_ssh_info(
return []
home_dirs = _get_home_dirs()
ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, event_queue)
ssh_info = _get_ssh_files(home_dirs, telemetry_messenger, agent_event_queue)
return ssh_info
@ -83,7 +85,7 @@ def _get_ssh_struct(name: str, home_dir: str) -> Dict:
def _get_ssh_files(
user_info: Iterable[Dict],
telemetry_messenger: ITelemetryMessenger,
event_queue: IAgentEventQueue,
agent_event_queue: IAgentEventQueue,
) -> Iterable[Dict]:
for info in user_info:
path = info["home_dir"]
@ -125,7 +127,7 @@ def _get_ssh_files(
collected_credentials = to_credentials([info])
_publish_credentials_stolen_event(
collected_credentials, event_queue
collected_credentials, agent_event_queue
)
else:
continue
@ -170,7 +172,7 @@ def to_credentials(ssh_info: Iterable[Dict]) -> Sequence[Credentials]:
def _publish_credentials_stolen_event(
collected_credentials: Credentials, event_queue: IAgentEventQueue
collected_credentials: Sequence[Credentials], agent_event_queue: IAgentEventQueue
):
credentials_stolen_event = CredentialsStolenEvent(
source=get_agent_id(),
@ -178,4 +180,4 @@ def _publish_credentials_stolen_event(
stolen_credentials=collected_credentials,
)
event_queue.publish(credentials_stolen_event)
agent_event_queue.publish(credentials_stolen_event)

View File

@ -18,6 +18,7 @@ from impacket.dcerpc.v5.dtypes import NULL
from common.agent_events import CredentialsStolenEvent
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
from common.credentials import Credentials, LMHash, NTHash, Username
from common.tags import T1003_ATTACK_TECHNIQUE_TAG, T1098_ATTACK_TECHNIQUE_TAG
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.wmi_tools import WmiTools
from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
@ -32,9 +33,6 @@ from infection_monkey.utils.threading import interruptible_iter
logger = logging.getLogger(__name__)
ZEROLOGON_EXPLOITER_TAG = "zerologon-exploiter"
T1003_ATTACK_TECHNIQUE_TAG = "attack-t1003"
T1098_ATTACK_TECHNIQUE_TAG = "attack-t1098"
ZEROLOGON_EVENT_TAGS = frozenset(
{
@ -315,7 +313,7 @@ class ZerologonExploiter(HostExploiter):
tags=ZEROLOGON_EVENT_TAGS,
stolen_credentials=extracted_credentials,
)
self.event_queue.publish(credentials_stolen_event)
self.agent_event_queue.publish(credentials_stolen_event)
def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> Optional[str]:
if not self.save_HKLM_keys_locally(username, user_pwd_hashes):

View File

@ -9,11 +9,17 @@ from common.agent_configuration.agent_sub_configurations import (
)
from common.agent_events import ExploitationEvent, PingScanEvent, PropagationEvent, TCPScanEvent
from common.credentials import Credentials, LMHash, NTHash
from infection_monkey.exploit.HostExploiter.HostExploiter import (
_publish_exploitation_event,
_publish_propagation_event,
from common.tags import (
T1021_ATTACK_TECHNIQUE_TAG,
T1105_ATTACK_TECHNIQUE_TAG,
T1110_ATTACK_TECHNIQUE_TAG,
T1203_ATTACK_TECHNIQUE_TAG,
T1210_ATTACK_TECHNIQUE_TAG,
T1222_ATTACK_TECHNIQUE_TAG,
T1570_ATTACK_TECHNIQUE_TAG,
)
from common.types import NetworkPort, NetworkService
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.log4shell_utils.ldap_server import LDAPServerFactory
from monkey_island.cc.models import Machine, Node, Report
from monkey_island.cc.models.networkmap import Arc, NetworkMap
@ -319,8 +325,17 @@ TCPScanEvent
TCPScanEvent.port_status
# TODO: Remove once #2269 is close
_publish_exploitation_event,
_publish_propagation_event,
PropagationEvent
ExploitationEvent
T1021_ATTACK_TECHNIQUE_TAG
T1105_ATTACK_TECHNIQUE_TAG
T1110_ATTACK_TECHNIQUE_TAG
T1203_ATTACK_TECHNIQUE_TAG
T1210_ATTACK_TECHNIQUE_TAG
T1222_ATTACK_TECHNIQUE_TAG
T1570_ATTACK_TECHNIQUE_TAG
HostExploiter._publish_propagation_event
HostExploiter._publish_exploitation_event
# pydantic base models
underscore_attrs_are_private