From 9dc16077540d85f03e1083a561be74f7ee5411c0 Mon Sep 17 00:00:00 2001
From: Shay Nehmad <shay.nehmad@guardicore.com>
Date: Thu, 3 Oct 2019 11:36:47 +0300
Subject: [PATCH] Added user deactivation as another "security" layer for the
 user deletion in windows

---
 .../utils/windows/auto_new_user.py            | 21 +++++++++++++++----
 .../infection_monkey/utils/windows/users.py   | 13 +++++++++++-
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/monkey/infection_monkey/utils/windows/auto_new_user.py b/monkey/infection_monkey/utils/windows/auto_new_user.py
index d95ac0bf0..fd879ef6b 100644
--- a/monkey/infection_monkey/utils/windows/auto_new_user.py
+++ b/monkey/infection_monkey/utils/windows/auto_new_user.py
@@ -2,7 +2,8 @@ import logging
 import subprocess
 
 from infection_monkey.post_breach.actions.add_user import BackdoorUser
-from infection_monkey.utils.windows.users import get_windows_commands_to_delete_user, get_windows_commands_to_add_user
+from infection_monkey.utils.windows.users import get_windows_commands_to_delete_user, get_windows_commands_to_add_user, \
+    get_windows_commands_to_deactivate_user
 
 logger = logging.getLogger(__name__)
 
@@ -48,7 +49,8 @@ class AutoNewUser(object):
                 self.username,
                 ".",  # Use current domain.
                 self.password,
-                win32con.LOGON32_LOGON_INTERACTIVE,  # Logon type - interactive (normal user).
+                win32con.LOGON32_LOGON_INTERACTIVE,  # Logon type - interactive (normal user). Need this to open ping
+                                                     # using a shell.
                 win32con.LOGON32_PROVIDER_DEFAULT)  # Which logon provider to use - whatever Windows offers.
         except Exception as err:
             raise NewUserError("Can't logon as {}. Error: {}".format(self.username, str(err)))
@@ -61,9 +63,20 @@ class AutoNewUser(object):
         # Logoff
         self.logon_handle.Close()
 
-        # Try to delete user
+        # Try to disable and then delete the user.
+        self.try_deactivate_user()
+        self.try_disable_user()
+
+    def try_disable_user(self):
         try:
-            _ = subprocess.Popen(
+            _ = subprocess.check_output(
                 get_windows_commands_to_delete_user(self.username), stderr=subprocess.STDOUT, shell=True)
         except Exception as err:
             raise NewUserError("Can't delete user {}. Info: {}".format(self.username, err))
+
+    def try_deactivate_user(self):
+        try:
+            _ = subprocess.check_output(
+                get_windows_commands_to_deactivate_user(self.username), stderr=subprocess.STDOUT, shell=True)
+        except Exception as err:
+            raise NewUserError("Can't deactivate user {}. Info: {}".format(self.username, err))
diff --git a/monkey/infection_monkey/utils/windows/users.py b/monkey/infection_monkey/utils/windows/users.py
index 0e6847cff..eac5318d5 100644
--- a/monkey/infection_monkey/utils/windows/users.py
+++ b/monkey/infection_monkey/utils/windows/users.py
@@ -1,3 +1,6 @@
+ACTIVE_NO_NET_USER = '/ACTIVE:NO'
+
+
 def get_windows_commands_to_add_user(username, password, should_be_active=False):
     windows_cmds = [
         'net',
@@ -6,7 +9,7 @@ def get_windows_commands_to_add_user(username, password, should_be_active=False)
         password,
         '/add']
     if not should_be_active:
-        windows_cmds.append('/ACTIVE:NO')
+        windows_cmds.append(ACTIVE_NO_NET_USER)
     return windows_cmds
 
 
@@ -16,3 +19,11 @@ def get_windows_commands_to_delete_user(username):
         'user',
         username,
         '/delete']
+
+
+def get_windows_commands_to_deactivate_user(username):
+    return [
+        'net',
+        'user',
+        username,
+        ACTIVE_NO_NET_USER]