From 7d535c72d9bdfb99d2a157fe29b705cf9c0b4610 Mon Sep 17 00:00:00 2001 From: Kekoa Kaaikala Date: Wed, 5 Oct 2022 14:10:11 +0000 Subject: [PATCH] Agent: Publish powershell exploitation events --- monkey/infection_monkey/exploit/powershell.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/powershell.py b/monkey/infection_monkey/exploit/powershell.py index de3797a1d..369ca151d 100644 --- a/monkey/infection_monkey/exploit/powershell.py +++ b/monkey/infection_monkey/exploit/powershell.py @@ -3,7 +3,11 @@ from pathlib import Path, PurePath from typing import List, Optional from common import OperatingSystem -from common.tags import T1059_ATTACK_TECHNIQUE_TAG, T1105_ATTACK_TECHNIQUE_TAG +from common.tags import ( + T1059_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, + T1110_ATTACK_TECHNIQUE_TAG, +) from infection_monkey.exploit.HostExploiter import HostExploiter from infection_monkey.exploit.powershell_utils.auth_options import AuthOptions, get_auth_options from infection_monkey.exploit.powershell_utils.credentials import ( @@ -23,6 +27,7 @@ from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) POWERSHELL_EXPLOITER_TAG = "powershell-exploiter" +EXPLOITER_TAGS = (POWERSHELL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG) PROPAGATION_TAGS = ( POWERSHELL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, @@ -111,15 +116,20 @@ class PowerShellExploiter(HostExploiter): f"{creds.username}, Secret Type: {creds.secret_type.name}" ) + self._publish_exploitation_event(self.host.ip_addr, True, EXPLOITER_TAGS) self.exploit_result.exploitation_success = True self._report_login_attempt(True, creds) return client except Exception as ex: - logger.debug( + error_message = ( f"Error logging into {self.host.ip_addr} using Powershell. User: " f"{creds.username}, SecretType: {creds.secret_type.name} -- Error: {ex}" ) + logger.debug(error_message) + self._publish_exploitation_event( + self.host.ip_addr, False, EXPLOITER_TAGS, error_message + ) self._report_login_attempt(False, creds) return None