Rename Communicate as new user to Communicate as backdoor user

2021-08-30 12:44:13 +02:00 · 2021-08-30 12:44:13 +02:00 · 10697934d6
parent 7e293ac16d
commit 10697934d6
13 changed files with 34 additions and 30 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -70,10 +70,12 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
 - Improve runtime of some unit tests. #1125
 - Run curl OR wget (not both) when attempting to communicate as a new user on
  Linux. #1407
+- Renamed Communicate as new user to Communicate as backdoor user. #1433

 ### Removed
 - Relevant dead code as reported by Vulture. #1149
 - Island logger config and --logger-config CLI option. #1151
+- Backdoor user post breach action. #1433

 ### Fixed
 - Attempt to delete a directory when monkey config reset was called. #1054
--- a/docs/content/development/adding-post-breach-actions.md
+++ b/docs/content/development/adding-post-breach-actions.md
@ -39,9 +39,9 @@ class MyNewPba(PBA):

 #### Implementation

-If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `add_user.py` PBA for reference.
+If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the `account_discovery.py` PBA for reference.

-Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
+Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_backdoor_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.

 ### Modify the Monkey Island

@ -73,4 +73,4 @@ Now you can choose your PBA when configuring the Infection Monkey on the Monkey

 #### Telemetry processing

-If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example.
+If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_backdoor_user_telemetry` method as an example.
--- a/monkey/common/common_consts/post_breach_consts.py
+++ b/monkey/common/common_consts/post_breach_consts.py
@ -1,4 +1,4 @@
-POST_BREACH_COMMUNICATE_AS_NEW_USER = "Communicate as new user"
+POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER = "Communicate as backdoor user"
 POST_BREACH_FILE_EXECUTION = "File execution"
 POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = "Modify shell startup file"
 POST_BREACH_HIDDEN_FILES = "Hide files and directories"
--- a/monkey/common/common_consts/zero_trust_consts.py
+++ b/monkey/common/common_consts/zero_trust_consts.py
@ -40,7 +40,7 @@ TEST_SCHEDULED_EXECUTION = "scheduled_execution"
 TEST_MALICIOUS_ACTIVITY_TIMELINE = "malicious_activity_timeline"
 TEST_SEGMENTATION = "segmentation"
 TEST_TUNNELING = "tunneling"
-TEST_COMMUNICATE_AS_NEW_USER = "communicate_as_new_user"
+TEST_COMMUNICATE_AS_BACKDOOR_USER = "communicate_as_backdoor_user"
 TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES = "scoutsuite_permissive_firewall_rules"
 TEST_SCOUTSUITE_UNENCRYPTED_DATA = "scoutsuite_unencrypted_data"
 TEST_SCOUTSUITE_DATA_LOSS_PREVENTION = "scoutsuite_data_loss_prevention"
@ -58,7 +58,7 @@ TESTS = (
    TEST_DATA_ENDPOINT_HTTP,
    TEST_DATA_ENDPOINT_ELASTIC,
    TEST_TUNNELING,
-    TEST_COMMUNICATE_AS_NEW_USER,
+    TEST_COMMUNICATE_AS_BACKDOOR_USER,
    TEST_SCOUTSUITE_PERMISSIVE_FIREWALL_RULES,
    TEST_SCOUTSUITE_UNENCRYPTED_DATA,
    TEST_SCOUTSUITE_DATA_LOSS_PREVENTION,
@ -206,7 +206,7 @@ TESTS_MAP = {
        PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS],
        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED],
    },
-    TEST_COMMUNICATE_AS_NEW_USER: {
+    TEST_COMMUNICATE_AS_BACKDOOR_USER: {
        TEST_EXPLANATION_KEY: "The Monkey tried to create a new user and communicate "
        "with the internet from it.",
        FINDING_EXPLANATION_BY_STATUS_KEY: {
--- a/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py
+++ b/monkey/infection_monkey/post_breach/actions/communicate_as_backdoor_user.py
@ -4,7 +4,7 @@ import shutil
 import string
 import subprocess

-from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
+from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
 from infection_monkey.post_breach.pba import PBA
 from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
 from infection_monkey.utils.auto_new_user_factory import create_auto_new_user
@ -26,7 +26,7 @@ USERNAME_PREFIX = "somenewuser"
 logger = logging.getLogger(__name__)


-class CommunicateAsNewUser(PBA):
+class CommunicateAsBackdoorUser(PBA):
    """
    This PBA creates a new user, and then creates HTTPS requests as that user. This is used for a
    Zero Trust test of the People pillar. See the relevant telemetry processing to see what findings
@ -34,14 +34,16 @@ class CommunicateAsNewUser(PBA):
    """

    def __init__(self):
-        super(CommunicateAsNewUser, self).__init__(name=POST_BREACH_COMMUNICATE_AS_NEW_USER)
+        super(CommunicateAsBackdoorUser, self).__init__(
+            name=POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
+        )

    def run(self):
-        username = CommunicateAsNewUser.get_random_new_user_name()
+        username = CommunicateAsBackdoorUser.get_random_new_user_name()
        try:
            password = get_random_password()
            with create_auto_new_user(username, password) as new_user:
-                http_request_commandline = CommunicateAsNewUser.get_commandline_for_http_request(
+                http_request_commandline = CommunicateAsBackdoorUser.get_commandline_for_http_request(
                    INFECTION_MONKEY_WEBSITE_URL
                )
                exit_status = new_user.run_as(http_request_commandline)
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1136.py
@ -1,4 +1,4 @@
-from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
+from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
 from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique


@ -7,4 +7,4 @@ class T1136(PostBreachTechnique):
    unscanned_msg = "Monkey didn't try creating a new user on the network's systems."
    scanned_msg = "Monkey tried creating a new user on the network's systems, but failed."
    used_msg = "Monkey created a new user on the network's systems."
-    pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]
+    pba_names = [POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER]
--- a/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/pba_technique.py
@ -22,7 +22,7 @@ class PostBreachTechnique(AttackTechnique, metaclass=abc.ABCMeta):
        """
        :param post_breach_action_names: Names of post-breach actions with which the technique is
        associated
-        (example - `["Communicate as new user"]` for T1136)
+        (example - `["Communicate as backdoor user"]` for T1136)
        :return: Mongo query that parses attack telemetries for a simple report component
        (gets machines and post-breach action usage).
        """
--- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py
+++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py
@ -7,8 +7,8 @@ POST_BREACH_ACTIONS = {
    "anyOf": [
        {
            "type": "string",
-            "enum": ["CommunicateAsNewUser"],
-            "title": "Communicate as new user",
+            "enum": ["CommunicateAsBackdoorUser"],
+            "title": "Communicate as backdoor user",
            "safe": True,
            "info": "Attempts to create a new user, create HTTPS requests as that "
            "user and delete the user "
--- a/monkey/monkey_island/cc/services/config_schema/monkey.py
+++ b/monkey/monkey_island/cc/services/config_schema/monkey.py
@ -67,7 +67,7 @@ MONKEY = {
                    "uniqueItems": True,
                    "items": {"$ref": "#/definitions/post_breach_actions"},
                    "default": [
-                        "CommunicateAsNewUser",
+                        "CommunicateAsBackdoorUser",
                        "ModifyShellStartupFiles",
                        "HiddenFiles",
                        "TrapCommand",
--- a/monkey/monkey_island/cc/services/telemetry/processing/post_breach.py
+++ b/monkey/monkey_island/cc/services/telemetry/processing/post_breach.py
@ -1,16 +1,16 @@
 import copy

-from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_NEW_USER
+from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
 from monkey_island.cc.database import mongo
 from monkey_island.cc.models import Monkey
-from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_new_user import (
+from monkey_island.cc.services.telemetry.zero_trust_checks.communicate_as_backdoor_user import (
    check_new_user_communication,
 )

 EXECUTION_WITHOUT_OUTPUT = "(PBA execution produced no output)"


-def process_communicate_as_new_user_telemetry(telemetry_json):
+def process_communicate_as_backdoor_user_telemetry(telemetry_json):
    current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json["monkey_guid"])
    message = telemetry_json["data"]["result"][0]
    success = telemetry_json["data"]["result"][1]
@ -18,7 +18,7 @@ def process_communicate_as_new_user_telemetry(telemetry_json):


 POST_BREACH_TELEMETRY_PROCESSING_FUNCS = {
-    POST_BREACH_COMMUNICATE_AS_NEW_USER: process_communicate_as_new_user_telemetry,
+    POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER: process_communicate_as_backdoor_user_telemetry,
 }


--- a/monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_backdoor_user.py
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_checks/communicate_as_backdoor_user.py
@ -4,7 +4,7 @@ from monkey_island.cc.services.zero_trust.monkey_findings.monkey_zt_finding_serv
    MonkeyZTFindingService,
 )

-COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as new user. Details: {}"
+COMM_AS_NEW_USER_FAILED_FORMAT = "Monkey on {} couldn't communicate as backdoor user. Details: {}"
 COMM_AS_NEW_USER_SUCCEEDED_FORMAT = (
    "New user created by Monkey on {} successfully tried to "
    "communicate with the internet. Details: {}"
@ -14,7 +14,7 @@ COMM_AS_NEW_USER_SUCCEEDED_FORMAT = (
 def check_new_user_communication(current_monkey, success, message):
    status = zero_trust_consts.STATUS_FAILED if success else zero_trust_consts.STATUS_PASSED
    MonkeyZTFindingService.create_or_add_to_existing(
-        test=zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
+        test=zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER,
        status=status,
        events=[
            get_attempt_event(current_monkey),
@ -25,7 +25,7 @@ def check_new_user_communication(current_monkey, success, message):

 def get_attempt_event(current_monkey):
    tried_to_communicate_event = Event.create_event(
-        title="Communicate as new user",
+        title="Communicate as backdoor user",
        message="Monkey on {} tried to create a new user and communicate from it.".format(
            current_monkey.hostname
        ),
@ -40,7 +40,7 @@ def get_result_event(current_monkey, message, success):
    )

    return Event.create_event(
-        title="Communicate as new user",
+        title="Communicate as backdoor user",
        message=message_format.format(current_monkey.hostname, message),
        event_type=zero_trust_consts.EVENT_TYPE_MONKEY_NETWORK,
    )
--- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json
+++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json
@ -175,7 +175,7 @@
        "PBA_windows_filename": "",
        "PBA_linux_filename": "",
        "post_breach_actions": [
-          "CommunicateAsNewUser",
+          "CommunicateAsBackdoorUser",
          "ModifyShellStartupFiles",
          "HiddenFiles",
          "TrapCommand",
--- a/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/monkey_findings/test_monkey_zt_finding_service.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/services/zero_trust/monkey_findings/test_monkey_zt_finding_service.py
@ -18,8 +18,8 @@ EVENTS = [
        timestamp=datetime.strptime("2021-01-19 12:07:17.802138", "%Y-%m-%d %H:%M:%S.%f"),
    ),
    Event.create_event(
-        title="Communicate as new user",
-        message="Monkey on gc-pc-244 couldn't communicate as new user. "
+        title="Communicate as backdoor user",
+        message="Monkey on gc-pc-244 couldn't communicate as backdoor user. "
        "Details: System error 5 has occurred. Access is denied.",
        event_type="monkey_network",
        timestamp=datetime.strptime("2021-01-19 12:22:42.246020", "%Y-%m-%d %H:%M:%S.%f"),
@ -28,7 +28,7 @@ EVENTS = [

 TESTS = [
    zero_trust_consts.TEST_ENDPOINT_SECURITY_EXISTS,
-    zero_trust_consts.TEST_COMMUNICATE_AS_NEW_USER,
+    zero_trust_consts.TEST_COMMUNICATE_AS_BACKDOOR_USER,
 ]

 STATUS = [