Merge pull request #1259 from guardicore/ransomware-telemetry

Ransomware telemetry
This commit is contained in:
Mike Salvatore 2021-06-25 10:16:42 -04:00 committed by GitHub
commit 1294e38f6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 155 additions and 25 deletions

View File

@ -8,3 +8,4 @@ class TelemCategoryEnum:
TRACE = "trace" TRACE = "trace"
TUNNEL = "tunnel" TUNNEL = "tunnel"
ATTACK = "attack" ATTACK = "attack"
RANSOMWARE = "ransomware"

View File

@ -25,6 +25,9 @@ from infection_monkey.system_singleton import SystemSingleton
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
from infection_monkey.telemetry.attack.t1107_telem import T1107Telem from infection_monkey.telemetry.attack.t1107_telem import T1107Telem
from infection_monkey.telemetry.attack.victim_host_telem import VictimHostTelem from infection_monkey.telemetry.attack.victim_host_telem import VictimHostTelem
from infection_monkey.telemetry.messengers.telemetry_messenger_wrapper import (
TelemetryMessengerWrapper,
)
from infection_monkey.telemetry.scan_telem import ScanTelem from infection_monkey.telemetry.scan_telem import ScanTelem
from infection_monkey.telemetry.state_telem import StateTelem from infection_monkey.telemetry.state_telem import StateTelem
from infection_monkey.telemetry.system_info_telem import SystemInfoTelem from infection_monkey.telemetry.system_info_telem import SystemInfoTelem
@ -233,7 +236,7 @@ class InfectionMonkey(object):
if not self._keep_running: if not self._keep_running:
break break
RansomewarePayload(WormConfiguration.ransomware).run_payload() InfectionMonkey.run_ransomware()
if (not is_empty) and (WormConfiguration.max_iterations > iteration_index + 1): if (not is_empty) and (WormConfiguration.max_iterations > iteration_index + 1):
time_to_sleep = WormConfiguration.timeout_between_iterations time_to_sleep = WormConfiguration.timeout_between_iterations
@ -463,3 +466,8 @@ class InfectionMonkey(object):
def log_arguments(self): def log_arguments(self):
arg_string = " ".join([f"{key}: {value}" for key, value in vars(self._opts).items()]) arg_string = " ".join([f"{key}: {value}" for key, value in vars(self._opts).items()])
LOG.info(f"Monkey started with arguments: {arg_string}") LOG.info(f"Monkey started with arguments: {arg_string}")
@staticmethod
def run_ransomware():
telemetry_messenger = TelemetryMessengerWrapper()
RansomewarePayload(WormConfiguration.ransomware, telemetry_messenger).run_payload()

View File

@ -5,6 +5,8 @@ from typing import List, Optional, Tuple
from infection_monkey.ransomware.bitflip_encryptor import BitflipEncryptor from infection_monkey.ransomware.bitflip_encryptor import BitflipEncryptor
from infection_monkey.ransomware.file_selectors import select_production_safe_target_files from infection_monkey.ransomware.file_selectors import select_production_safe_target_files
from infection_monkey.ransomware.valid_file_extensions import VALID_FILE_EXTENSIONS_FOR_ENCRYPTION from infection_monkey.ransomware.valid_file_extensions import VALID_FILE_EXTENSIONS_FOR_ENCRYPTION
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.telemetry.ransomware_telem import RansomwareTelem
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -14,7 +16,7 @@ CHUNK_SIZE = 4096 * 24
class RansomewarePayload: class RansomewarePayload:
def __init__(self, config: dict): def __init__(self, config: dict, telemetry_messenger: ITelemetryMessenger):
LOG.info(f"Windows dir configured for encryption is \"{config['windows_dir']}\"") LOG.info(f"Windows dir configured for encryption is \"{config['windows_dir']}\"")
LOG.info(f"Linux dir configured for encryption is \"{config['linux_dir']}\"") LOG.info(f"Linux dir configured for encryption is \"{config['linux_dir']}\"")
@ -25,6 +27,7 @@ class RansomewarePayload:
self._valid_file_extensions_for_encryption.discard(self._new_file_extension) self._valid_file_extensions_for_encryption.discard(self._new_file_extension)
self._encryptor = BitflipEncryptor(chunk_size=CHUNK_SIZE) self._encryptor = BitflipEncryptor(chunk_size=CHUNK_SIZE)
self._telemetry_messenger = telemetry_messenger
def run_payload(self): def run_payload(self):
file_list = self._find_files() file_list = self._find_files()
@ -44,12 +47,16 @@ class RansomewarePayload:
try: try:
self._encryptor.encrypt_file_in_place(filepath) self._encryptor.encrypt_file_in_place(filepath)
self._add_extension(filepath) self._add_extension(filepath)
results.append((filepath, None)) self._send_telemetry(filepath, "")
except Exception as ex: except Exception as ex:
results.append((filepath, ex)) self._send_telemetry(filepath, str(ex))
return results return results
def _add_extension(self, filepath: Path): def _add_extension(self, filepath: Path):
new_filepath = filepath.with_suffix(f"{filepath.suffix}{self._new_file_extension}") new_filepath = filepath.with_suffix(f"{filepath.suffix}{self._new_file_extension}")
filepath.rename(new_filepath) filepath.rename(new_filepath)
def _send_telemetry(self, filepath: Path, error: str):
encryption_attempt = RansomwareTelem((str(filepath), str(error)))
self._telemetry_messenger.send_telemetry(encryption_attempt)

View File

@ -3,6 +3,7 @@ import json
import logging import logging
from infection_monkey.control import ControlClient from infection_monkey.control import ControlClient
from infection_monkey.telemetry.i_telem import ITelem
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
LOGGED_DATA_LENGTH = 300 # How many characters of telemetry data will be logged LOGGED_DATA_LENGTH = 300 # How many characters of telemetry data will be logged
@ -24,14 +25,11 @@ __author__ = "itay.mizeretz"
# logging and sending them. # logging and sending them.
class BaseTelem(object, metaclass=abc.ABCMeta): class BaseTelem(ITelem, metaclass=abc.ABCMeta):
""" """
Abstract base class for telemetry. Abstract base class for telemetry.
""" """
def __init__(self):
pass
def send(self, log_data=True): def send(self, log_data=True):
""" """
Sends telemetry to island Sends telemetry to island
@ -41,13 +39,6 @@ class BaseTelem(object, metaclass=abc.ABCMeta):
self._log_telem_sending(serialized_data, log_data) self._log_telem_sending(serialized_data, log_data)
ControlClient.send_telemetry(self.telem_category, serialized_data) ControlClient.send_telemetry(self.telem_category, serialized_data)
@abc.abstractmethod
def get_data(self) -> dict:
"""
:return: Data of telemetry (should be dict)
"""
pass
@property @property
def json_encoder(self): def json_encoder(self):
return json.JSONEncoder return json.JSONEncoder
@ -57,14 +48,6 @@ class BaseTelem(object, metaclass=abc.ABCMeta):
if log_data: if log_data:
logger.debug(f"Telemetry contents: {BaseTelem._truncate_data(serialized_data)}") logger.debug(f"Telemetry contents: {BaseTelem._truncate_data(serialized_data)}")
@property
@abc.abstractmethod
def telem_category(self):
"""
:return: Telemetry type
"""
pass
@staticmethod @staticmethod
def _truncate_data(data: str): def _truncate_data(data: str):
if len(data) <= LOGGED_DATA_LENGTH: if len(data) <= LOGGED_DATA_LENGTH:

View File

@ -0,0 +1,29 @@
import abc
class ITelem(metaclass=abc.ABCMeta):
@abc.abstractmethod
def send(self, log_data=True):
"""
Sends telemetry to island
"""
@abc.abstractmethod
def get_data(self) -> dict:
"""
:return: Data of telemetry (should be dict)
"""
pass
@property
@abc.abstractmethod
def json_encoder(self):
pass
@property
@abc.abstractmethod
def telem_category(self):
"""
:return: Telemetry type
"""
pass

View File

@ -0,0 +1,9 @@
import abc
from infection_monkey.telemetry.i_telem import ITelem
class ITelemetryMessenger(metaclass=abc.ABCMeta):
@abc.abstractmethod
def send_telemetry(self, telemetry: ITelem):
pass

View File

@ -0,0 +1,7 @@
from infection_monkey.telemetry.i_telem import ITelem
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class TelemetryMessengerWrapper(ITelemetryMessenger):
def send_telemetry(self, telemetry: ITelem):
telemetry.send()

View File

@ -0,0 +1,22 @@
from typing import List, Tuple
from common.common_consts.telem_categories import TelemCategoryEnum
from infection_monkey.telemetry.base_telem import BaseTelem
class RansomwareTelem(BaseTelem):
def __init__(self, attempts: List[Tuple[str, str]]):
"""
Ransomware telemetry constructor
:param attempts: List of tuples with each tuple containing the path
of a file it tried encrypting and its result.
If ransomware fails completely - list of one tuple
containing the directory path and error string.
"""
super().__init__()
self.attempts = attempts
telem_category = TelemCategoryEnum.RANSOMWARE
def get_data(self):
return {"ransomware_attempts": self.attempts}

View File

@ -1,4 +1,5 @@
import os import os
from pathlib import PurePath
import pytest import pytest
from tests.unit_tests.infection_monkey.ransomware.ransomware_target_files import ( from tests.unit_tests.infection_monkey.ransomware.ransomware_target_files import (
@ -20,7 +21,18 @@ from tests.unit_tests.infection_monkey.ransomware.ransomware_target_files import
) )
from tests.utils import hash_file, is_user_admin from tests.utils import hash_file, is_user_admin
from infection_monkey.ransomware import ransomware_payload as ransomware_payload_module
from infection_monkey.ransomware.ransomware_payload import EXTENSION, RansomewarePayload from infection_monkey.ransomware.ransomware_payload import EXTENSION, RansomewarePayload
from infection_monkey.telemetry.i_telem import ITelem
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class TelemetryMessengerSpy(ITelemetryMessenger):
def __init__(self):
self.telemetries = []
def send_telemetry(self, telemetry: ITelem):
self.telemetries.append(telemetry)
def with_extension(filename): def with_extension(filename):
@ -33,8 +45,13 @@ def ransomware_payload_config(ransomware_target):
@pytest.fixture @pytest.fixture
def ransomware_payload(ransomware_payload_config): def telemetry_messenger_spy():
return RansomewarePayload(ransomware_payload_config) return TelemetryMessengerSpy()
@pytest.fixture
def ransomware_payload(ransomware_payload_config, telemetry_messenger_spy):
return RansomewarePayload(ransomware_payload_config, telemetry_messenger_spy)
def test_file_with_excluded_extension_not_encrypted(ransomware_target, ransomware_payload): def test_file_with_excluded_extension_not_encrypted(ransomware_target, ransomware_payload):
@ -120,3 +137,30 @@ def test_skip_already_encrypted_file(ransomware_target, ransomware_payload):
hash_file(ransomware_target / ALREADY_ENCRYPTED_TXT_M0NK3Y) hash_file(ransomware_target / ALREADY_ENCRYPTED_TXT_M0NK3Y)
== ALREADY_ENCRYPTED_TXT_M0NK3Y_CLEARTEXT_SHA256 == ALREADY_ENCRYPTED_TXT_M0NK3Y_CLEARTEXT_SHA256
) )
def test_telemetry_success(ransomware_payload, telemetry_messenger_spy):
ransomware_payload.run_payload()
assert len(telemetry_messenger_spy.telemetries) == 2
telem_1 = telemetry_messenger_spy.telemetries[0]
telem_2 = telemetry_messenger_spy.telemetries[1]
assert ALL_ZEROS_PDF in telem_1.get_data()["ransomware_attempts"][0]
assert telem_1.get_data()["ransomware_attempts"][1] == ""
assert TEST_KEYBOARD_TXT in telem_2.get_data()["ransomware_attempts"][0]
assert telem_2.get_data()["ransomware_attempts"][1] == ""
def test_telemetry_failure(monkeypatch, ransomware_payload, telemetry_messenger_spy):
monkeypatch.setattr(
ransomware_payload_module,
"select_production_safe_target_files",
lambda a, b: [PurePath("/file/not/exist")],
),
ransomware_payload.run_payload()
telem_1 = telemetry_messenger_spy.telemetries[0]
assert "/file/not/exist" in telem_1.get_data()["ransomware_attempts"][0]
assert "No such file or directory" in telem_1.get_data()["ransomware_attempts"][1]

View File

@ -0,0 +1,20 @@
import json
import pytest
from infection_monkey.telemetry.ransomware_telem import RansomwareTelem
ATTEMPTS = [("<file>", "<encryption attempt result>")]
@pytest.fixture
def ransomware_telem_test_instance():
return RansomwareTelem(ATTEMPTS)
def test_ransomware_telem_send(ransomware_telem_test_instance, spy_send_telemetry):
ransomware_telem_test_instance.send()
expected_data = {"ransomware_attempts": ATTEMPTS}
expected_data = json.dumps(expected_data, cls=ransomware_telem_test_instance.json_encoder)
assert spy_send_telemetry.data == expected_data
assert spy_send_telemetry.telem_category == "ransomware"