From 2431d45b74c723249205114693143e8f29b0de90 Mon Sep 17 00:00:00 2001 From: Shreya Date: Sun, 23 Aug 2020 22:42:37 +0530 Subject: [PATCH 1/4] Add T1146 (clear command history) --- monkey/common/data/post_breach_consts.py | 1 + .../actions/clear_command_history.py | 49 +++++++++++++ .../clear_command_history.py | 7 ++ .../linux_clear_command_history.py | 41 +++++++++++ .../cc/services/attack/attack_report.py | 14 ++-- .../cc/services/attack/attack_schema.py | 9 +++ .../attack/technique_reports/T1146.py | 22 ++++++ .../definitions/post_breach_actions.py | 9 +++ .../cc/services/config_schema/monkey.py | 3 +- .../src/components/attack/techniques/T1146.js | 45 ++++++++++++ .../security/PostBreachParser.js | 70 +++++++++++++------ 11 files changed, 241 insertions(+), 29 deletions(-) create mode 100644 monkey/infection_monkey/post_breach/actions/clear_command_history.py create mode 100644 monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py create mode 100644 monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py create mode 100644 monkey/monkey_island/cc/services/attack/technique_reports/T1146.py create mode 100644 monkey/monkey_island/cc/ui/src/components/attack/techniques/T1146.js diff --git a/monkey/common/data/post_breach_consts.py b/monkey/common/data/post_breach_consts.py index c3bba9950..2231e2eb7 100644 --- a/monkey/common/data/post_breach_consts.py +++ b/monkey/common/data/post_breach_consts.py @@ -6,3 +6,4 @@ POST_BREACH_HIDDEN_FILES = "Hide files and directories" POST_BREACH_TRAP_COMMAND = "Execute command when a particular signal is received" POST_BREACH_SETUID_SETGID = "Setuid and Setgid" POST_BREACH_JOB_SCHEDULING = "Schedule jobs" +POST_BREACH_CLEAR_CMD_HISTORY = "Clear command history" diff --git a/monkey/infection_monkey/post_breach/actions/clear_command_history.py b/monkey/infection_monkey/post_breach/actions/clear_command_history.py new file mode 100644 index 000000000..c4a95a302 --- /dev/null +++ b/monkey/infection_monkey/post_breach/actions/clear_command_history.py @@ -0,0 +1,49 @@ +import subprocess + +from common.data.post_breach_consts import POST_BREACH_CLEAR_CMD_HISTORY +from infection_monkey.post_breach.pba import PBA +from infection_monkey.post_breach.clear_command_history.clear_command_history import \ + get_commands_to_clear_command_history +from infection_monkey.telemetry.post_breach_telem import PostBreachTelem + + +class ClearCommandHistory(PBA): + def __init__(self): + super().__init__(name=POST_BREACH_CLEAR_CMD_HISTORY) + + def run(self): + results = [pba.run() for pba in self.clear_command_history_PBA_list()] + PostBreachTelem(self, results).send() + + def clear_command_history_PBA_list(self): + return self.CommandHistoryPBAGenerator().get_clear_command_history_pbas() + + class CommandHistoryPBAGenerator(): + def get_clear_command_history_pbas(self): + (cmds_for_linux, command_history_files_for_linux, usernames_for_linux) =\ + get_commands_to_clear_command_history() + + pbas = [] + + for username in usernames_for_linux: + for command_history_file in command_history_files_for_linux: + linux_cmds = ' '.join(cmds_for_linux).format(command_history_file).format(username) + pbas.append(self.ClearCommandHistoryFile(linux_cmds=linux_cmds)) + + return pbas + + class ClearCommandHistoryFile(PBA): + def __init__(self, linux_cmds): + super().__init__(name=POST_BREACH_CLEAR_CMD_HISTORY, + linux_cmd=linux_cmds) + + def run(self): + if self.command: + try: + output = subprocess.check_output(self.command, # noqa: DUO116 + stderr=subprocess.STDOUT, + shell=True).decode() + return output, True + except subprocess.CalledProcessError as e: + # Return error output of the command + return e.output.decode(), False diff --git a/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py b/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py new file mode 100644 index 000000000..2edfefeac --- /dev/null +++ b/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py @@ -0,0 +1,7 @@ +from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import \ + get_linux_commands_to_clear_command_history + + +def get_commands_to_clear_command_history(): + linux_cmds = get_linux_commands_to_clear_command_history() + return linux_cmds diff --git a/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py b/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py new file mode 100644 index 000000000..c48ccc389 --- /dev/null +++ b/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py @@ -0,0 +1,41 @@ +import subprocess + +from infection_monkey.utils.environment import is_windows_os + +TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file' + + +def get_linux_commands_to_clear_command_history(): + if is_windows_os(): + return '', [], [] + + HOME_DIR = "/home/" + + # get list of usernames + USERS = subprocess.check_output( # noqa: DUO116 + "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1", + shell=True + ).decode().split('\n')[:-1] + + # get list of paths of different shell history files (default values) with place for username + STARTUP_FILES = [ + file_path.format(HOME_DIR) for file_path in + [ + "{0}{{0}}/.bash_history", # bash + "{0}{{0}}/.local/share/fish/fish_history", # fish + "{0}{{0}}/.zsh_history", # zsh + "{0}{{0}}/.sh_history", # ksh + "{0}{{0}}/.history" # csh, tcsh + ] + ] + + return [ + '3<{0} 3<&- && ', # check for existence of file + 'cat {0} ' # copy contents of history file to... + f'> {TEMP_HIST_FILE} && ', # ...temporary file + 'echo > {0} && ', # clear contents of file + 'echo \"Successfully cleared {0}\" && ', # if successfully cleared + f'cat {TEMP_HIST_FILE} ', # restore history file back with... + '> {0} ;' # ...original contents + f'rm {TEMP_HIST_FILE} -f' # remove temp history file + ], STARTUP_FILES, USERS diff --git a/monkey/monkey_island/cc/services/attack/attack_report.py b/monkey/monkey_island/cc/services/attack/attack_report.py index 6d4bac9ed..d60b848e4 100644 --- a/monkey/monkey_island/cc/services/attack/attack_report.py +++ b/monkey/monkey_island/cc/services/attack/attack_report.py @@ -14,11 +14,12 @@ from monkey_island.cc.services.attack.technique_reports import (T1003, T1005, T1106, T1107, T1110, T1129, T1136, T1145, - T1154, T1156, - T1158, T1166, - T1168, T1188, - T1197, T1210, - T1222, T1504) + T1146, T1154, + T1156, T1158, + T1166, T1168, + T1188, T1197, + T1210, T1222, + T1504) from monkey_island.cc.services.reporting.report_generation_synchronisation import \ safe_generate_attack_report @@ -57,7 +58,8 @@ TECHNIQUES = {'T1210': T1210.T1210, 'T1154': T1154.T1154, 'T1166': T1166.T1166, 'T1168': T1168.T1168, - 'T1053': T1053.T1053 + 'T1053': T1053.T1053, + 'T1146': T1146.T1146 } REPORT_NAME = 'new_report' diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index 30d33ca3e..501f4da24 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -168,6 +168,15 @@ SCHEMA = { "description": "Adversaries may abuse BITS to download, execute, " "and even clean up after running malicious code." }, + "T1146": { + "title": "Clear command history", + "type": "bool", + "value": True, + "necessary": False, + "link": "https://attack.mitre.org/techniques/T1146", + "description": "Adversaries may clear/disable command history of a compromised " + "account to conceal the actions undertaken during an intrusion." + }, "T1107": { "title": "File Deletion", "type": "bool", diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py new file mode 100644 index 000000000..fe7519f97 --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py @@ -0,0 +1,22 @@ +from common.data.post_breach_consts import POST_BREACH_CLEAR_CMD_HISTORY +from monkey_island.cc.services.attack.technique_reports.pba_technique import \ + PostBreachTechnique + +__author__ = "shreyamalviya" + + +class T1146(PostBreachTechnique): + tech_id = "T1146" + unscanned_msg = "Monkey didn't try clearing/disabling the command history since it didn't run on any Linux machines." + scanned_msg = "Monkey tried clearing/disabling the command history but failed." + used_msg = "Monkey successfully cleared/disabled the command history." + pba_names = [POST_BREACH_CLEAR_CMD_HISTORY] + + @staticmethod + def get_pba_query(*args): + return [{'$match': {'telem_category': 'post_breach', + 'data.name': POST_BREACH_CLEAR_CMD_HISTORY}}, + {'$project': {'_id': 0, + 'machine': {'hostname': {'$arrayElemAt': ['$data.hostname', 0]}, + 'ips': [{'$arrayElemAt': ['$data.ip', 0]}]}, + 'result': '$data.result'}}] diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py index f3e2a9bfa..acb6921a4 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py @@ -70,6 +70,15 @@ POST_BREACH_ACTIONS = { "title": "Job scheduling", "info": "Attempts to create a scheduled job on the system and remove it.", "attack_techniques": ["T1168", "T1053"] + }, + { + "type": "string", + "enum": [ + "ClearCommandHistory" + ], + "title": "Clear command history", + "info": "Attempts to clear the command history.", + "attack_techniques": ["T1146"] } ] } diff --git a/monkey/monkey_island/cc/services/config_schema/monkey.py b/monkey/monkey_island/cc/services/config_schema/monkey.py index dd10cb35b..92a5bb828 100644 --- a/monkey/monkey_island/cc/services/config_schema/monkey.py +++ b/monkey/monkey_island/cc/services/config_schema/monkey.py @@ -67,7 +67,8 @@ MONKEY = { "HiddenFiles", "TrapCommand", "ChangeSetuidSetgid", - "ScheduleJobs" + "ScheduleJobs", + "ClearCommandHistory" ] }, } diff --git a/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1146.js b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1146.js new file mode 100644 index 000000000..26693b892 --- /dev/null +++ b/monkey/monkey_island/cc/ui/src/components/attack/techniques/T1146.js @@ -0,0 +1,45 @@ +import React from 'react'; +import ReactTable from 'react-table'; +import {renderMachineFromSystemData, ScanStatus} from './Helpers'; +import MitigationsComponent from './MitigationsComponent'; + +class T1146 extends React.Component { + + constructor(props) { + super(props); + } + + static getColumns() { + return ([{ + columns: [ + { Header: 'Machine', + id: 'machine', + accessor: x => renderMachineFromSystemData(x.machine), + style: {'whiteSpace': 'unset'}}, + { Header: 'Result', + id: 'result', + accessor: x => x.result, + style: {'whiteSpace': 'unset'}} + ] + }]) + } + + render() { + return ( +
+
{this.props.data.message}
+
+ {this.props.data.status === ScanStatus.USED ? + : ''} + +
+ ); + } + } + + export default T1146; diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js index b56a532f7..b0368aea1 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js @@ -1,33 +1,59 @@ export default function parsePbaResults(results) { - results.pba_results = aggregateShellStartupPba(results.pba_results); + results.pba_results = aggregateMultipleResultsPba(results.pba_results); return results; } const SHELL_STARTUP_NAME = 'Modify shell startup file'; +const CMD_HISTORY_NAME = 'Clear command history'; -function aggregateShellStartupPba(results) { - let isSuccess = false; - let aggregatedPbaResult = undefined; - let successfulOutputs = ''; - let failedOutputs = ''; - - for(let i = 0; i < results.length; i++){ - if(results[i].name === SHELL_STARTUP_NAME && aggregatedPbaResult === undefined){ - aggregatedPbaResult = results[i]; - } - if(results[i].name === SHELL_STARTUP_NAME && results[i].result[1]){ - successfulOutputs += results[i].result[0]; - isSuccess = true; - } - if(results[i].name === SHELL_STARTUP_NAME && ! results[i].result[1]){ - failedOutputs += results[i].result[0]; +function aggregateMultipleResultsPba(results) { + let aggregatedPbaResults = { + 'Modify shell startup file': { + aggregatedResult: undefined, + successfulOutputs: '', + failedOutputs: '', + isSuccess: false + }, + 'Clear command history': { + aggregatedResult: undefined, + successfulOutputs: '', + failedOutputs: '', + isSuccess: false } } - if(aggregatedPbaResult === undefined) return results; - results = results.filter(result => result.name !== SHELL_STARTUP_NAME); - aggregatedPbaResult.result[0] = successfulOutputs + failedOutputs; - aggregatedPbaResult.result[1] = isSuccess; - results.push(aggregatedPbaResult); + function aggregateResults(result) { + if (aggregatedPbaResults[result.name].aggregatedResult === undefined) { + aggregatedPbaResults[result.name].aggregatedResult = result; + } + if (result.result[1]) { + aggregatedPbaResults[result.name].successfulOutputs += result.result[0]; + aggregatedPbaResults[result.name].isSuccess = true; + } + if (!result.result[1]) { + aggregatedPbaResults[result.name].failedOutputs += result.result[0]; + } + } + + function checkAggregatedResults(pbaName) { + if (aggregatedPbaResults[pbaName].aggregatedResult !== undefined) { + aggregatedPbaResults[pbaName].aggregatedResult.result[0] = aggregatedPbaResults[pbaName].successfulOutputs + aggregatedPbaResults[pbaName].failedOutputs; + aggregatedPbaResults[pbaName].aggregatedResult.result[1] = aggregatedPbaResults[pbaName].isSuccess; + results.push(aggregatedPbaResults[pbaName].aggregatedResult); + } + } + + for (let i = 0; i < results.length; i++) + if (results[i].name === SHELL_STARTUP_NAME || results[i].name === CMD_HISTORY_NAME) + aggregateResults(results[i]); + + if (aggregatedPbaResults[SHELL_STARTUP_NAME].aggregatedResult === undefined && + aggregatedPbaResults[CMD_HISTORY_NAME].aggregatedResult === undefined) + return results; + + results = results.filter(result => result.name !== SHELL_STARTUP_NAME && result.name !== CMD_HISTORY_NAME); + checkAggregatedResults(SHELL_STARTUP_NAME); + checkAggregatedResults(CMD_HISTORY_NAME); + return results; } From e25e913e86ee6e7b06584218fc17a2c268a2237b Mon Sep 17 00:00:00 2001 From: Shreya Date: Sun, 23 Aug 2020 23:17:58 +0530 Subject: [PATCH 2/4] Just some refactoring and chages to pass the build --- .../actions/clear_command_history.py | 2 +- .../security/PostBreachParser.js | 39 ++++++++++--------- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/monkey/infection_monkey/post_breach/actions/clear_command_history.py b/monkey/infection_monkey/post_breach/actions/clear_command_history.py index c4a95a302..e2286c8ab 100644 --- a/monkey/infection_monkey/post_breach/actions/clear_command_history.py +++ b/monkey/infection_monkey/post_breach/actions/clear_command_history.py @@ -1,9 +1,9 @@ import subprocess from common.data.post_breach_consts import POST_BREACH_CLEAR_CMD_HISTORY -from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.clear_command_history.clear_command_history import \ get_commands_to_clear_command_history +from infection_monkey.post_breach.pba import PBA from infection_monkey.telemetry.post_breach_telem import PostBreachTelem diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js index b0368aea1..d1c9c01ae 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js @@ -6,21 +6,18 @@ export default function parsePbaResults(results) { const SHELL_STARTUP_NAME = 'Modify shell startup file'; const CMD_HISTORY_NAME = 'Clear command history'; +const multipleResultsPbas = [SHELL_STARTUP_NAME, CMD_HISTORY_NAME] + function aggregateMultipleResultsPba(results) { - let aggregatedPbaResults = { - 'Modify shell startup file': { - aggregatedResult: undefined, - successfulOutputs: '', - failedOutputs: '', - isSuccess: false - }, - 'Clear command history': { + let aggregatedPbaResults = {}; + multipleResultsPbas.forEach(function(pba) { + aggregatedPbaResults[pba] = { aggregatedResult: undefined, successfulOutputs: '', failedOutputs: '', isSuccess: false } - } + }) function aggregateResults(result) { if (aggregatedPbaResults[result.name].aggregatedResult === undefined) { @@ -30,30 +27,36 @@ function aggregateMultipleResultsPba(results) { aggregatedPbaResults[result.name].successfulOutputs += result.result[0]; aggregatedPbaResults[result.name].isSuccess = true; } - if (!result.result[1]) { + else if (!result.result[1]) { aggregatedPbaResults[result.name].failedOutputs += result.result[0]; } } - function checkAggregatedResults(pbaName) { + function checkAggregatedResults(pbaName) { // if this pba's results were aggregated, push to `results` if (aggregatedPbaResults[pbaName].aggregatedResult !== undefined) { - aggregatedPbaResults[pbaName].aggregatedResult.result[0] = aggregatedPbaResults[pbaName].successfulOutputs + aggregatedPbaResults[pbaName].failedOutputs; + aggregatedPbaResults[pbaName].aggregatedResult.result[0] = (aggregatedPbaResults[pbaName].successfulOutputs + + aggregatedPbaResults[pbaName].failedOutputs); aggregatedPbaResults[pbaName].aggregatedResult.result[1] = aggregatedPbaResults[pbaName].isSuccess; results.push(aggregatedPbaResults[pbaName].aggregatedResult); } } + // check for pbas with multiple results and aggregate their results for (let i = 0; i < results.length; i++) - if (results[i].name === SHELL_STARTUP_NAME || results[i].name === CMD_HISTORY_NAME) + if (multipleResultsPbas.includes(results[i].name)) aggregateResults(results[i]); - if (aggregatedPbaResults[SHELL_STARTUP_NAME].aggregatedResult === undefined && - aggregatedPbaResults[CMD_HISTORY_NAME].aggregatedResult === undefined) + // if no modifications were made to the results, i.e. if no pbas had mutiple results, return `results` as it is + let noResultsModifications = true; + multipleResultsPbas.forEach((pba) => { + if (aggregatedPbaResults[pba].aggregatedResult !== undefined) + noResultsModifications = false; + }) + if (noResultsModifications) return results; + // if modifications were made, push aggregated results to `results` and return results = results.filter(result => result.name !== SHELL_STARTUP_NAME && result.name !== CMD_HISTORY_NAME); - checkAggregatedResults(SHELL_STARTUP_NAME); - checkAggregatedResults(CMD_HISTORY_NAME); - + multipleResultsPbas.forEach(pba => checkAggregatedResults(pba)); return results; } From 7950b246aa68e1c9c73bbdfd191a9d10efcdc8fd Mon Sep 17 00:00:00 2001 From: Shreya Date: Mon, 24 Aug 2020 15:26:15 +0530 Subject: [PATCH 3/4] Code review changes - break down `get_linux_commands_to_clear_command_history()` to separate functions - keep technique off by default - technique message changes - other tiny changes --- .../clear_command_history.py | 13 +++-- .../linux_clear_command_history.py | 52 ++++++++++++------- .../cc/services/attack/attack_schema.py | 2 +- .../attack/technique_reports/T1146.py | 6 +-- .../cc/services/config_schema/monkey.py | 3 +- .../security/PostBreachParser.js | 2 +- 6 files changed, 48 insertions(+), 30 deletions(-) diff --git a/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py b/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py index 2edfefeac..67c600a5d 100644 --- a/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py +++ b/monkey/infection_monkey/post_breach/clear_command_history/clear_command_history.py @@ -1,7 +1,12 @@ -from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import \ - get_linux_commands_to_clear_command_history +from infection_monkey.post_breach.clear_command_history.linux_clear_command_history import ( + get_linux_command_history_files, + get_linux_commands_to_clear_command_history, get_linux_usernames) def get_commands_to_clear_command_history(): - linux_cmds = get_linux_commands_to_clear_command_history() - return linux_cmds + (linux_cmds, + linux_cmd_hist_files, + linux_usernames) = (get_linux_commands_to_clear_command_history(), + get_linux_command_history_files(), + get_linux_usernames()) + return linux_cmds, linux_cmd_hist_files, linux_usernames diff --git a/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py b/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py index c48ccc389..a3545f124 100644 --- a/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py +++ b/monkey/infection_monkey/post_breach/clear_command_history/linux_clear_command_history.py @@ -2,21 +2,31 @@ import subprocess from infection_monkey.utils.environment import is_windows_os -TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file' - def get_linux_commands_to_clear_command_history(): if is_windows_os(): - return '', [], [] + return '' + + TEMP_HIST_FILE = '$HOME/monkey-temp-hist-file' + + return [ + '3<{0} 3<&- && ', # check for existence of file + 'cat {0} ' # copy contents of history file to... + f'> {TEMP_HIST_FILE} && ', # ...temporary file + 'echo > {0} && ', # clear contents of file + 'echo \"Successfully cleared {0}\" && ', # if successfully cleared + f'cat {TEMP_HIST_FILE} ', # restore history file back with... + '> {0} ;' # ...original contents + f'rm {TEMP_HIST_FILE} -f' # remove temp history file + ] + + +def get_linux_command_history_files(): + if is_windows_os(): + return [] HOME_DIR = "/home/" - # get list of usernames - USERS = subprocess.check_output( # noqa: DUO116 - "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1", - shell=True - ).decode().split('\n')[:-1] - # get list of paths of different shell history files (default values) with place for username STARTUP_FILES = [ file_path.format(HOME_DIR) for file_path in @@ -29,13 +39,17 @@ def get_linux_commands_to_clear_command_history(): ] ] - return [ - '3<{0} 3<&- && ', # check for existence of file - 'cat {0} ' # copy contents of history file to... - f'> {TEMP_HIST_FILE} && ', # ...temporary file - 'echo > {0} && ', # clear contents of file - 'echo \"Successfully cleared {0}\" && ', # if successfully cleared - f'cat {TEMP_HIST_FILE} ', # restore history file back with... - '> {0} ;' # ...original contents - f'rm {TEMP_HIST_FILE} -f' # remove temp history file - ], STARTUP_FILES, USERS + return STARTUP_FILES + + +def get_linux_usernames(): + if is_windows_os(): + return [] + + # get list of usernames + USERS = subprocess.check_output( # noqa: DUO116 + "cut -d: -f1,3 /etc/passwd | egrep ':[0-9]{4}$' | cut -d: -f1", + shell=True + ).decode().split('\n')[:-1] + + return USERS diff --git a/monkey/monkey_island/cc/services/attack/attack_schema.py b/monkey/monkey_island/cc/services/attack/attack_schema.py index 501f4da24..ab8eebe49 100644 --- a/monkey/monkey_island/cc/services/attack/attack_schema.py +++ b/monkey/monkey_island/cc/services/attack/attack_schema.py @@ -171,7 +171,7 @@ SCHEMA = { "T1146": { "title": "Clear command history", "type": "bool", - "value": True, + "value": False, "necessary": False, "link": "https://attack.mitre.org/techniques/T1146", "description": "Adversaries may clear/disable command history of a compromised " diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py index fe7519f97..cacbe6789 100644 --- a/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py +++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1146.py @@ -7,9 +7,9 @@ __author__ = "shreyamalviya" class T1146(PostBreachTechnique): tech_id = "T1146" - unscanned_msg = "Monkey didn't try clearing/disabling the command history since it didn't run on any Linux machines." - scanned_msg = "Monkey tried clearing/disabling the command history but failed." - used_msg = "Monkey successfully cleared/disabled the command history." + unscanned_msg = "Monkey didn't try clearing the command history since it didn't run on any Linux machines." + scanned_msg = "Monkey tried clearing the command history but failed." + used_msg = "Monkey successfully cleared the command history (and then restored it back)." pba_names = [POST_BREACH_CLEAR_CMD_HISTORY] @staticmethod diff --git a/monkey/monkey_island/cc/services/config_schema/monkey.py b/monkey/monkey_island/cc/services/config_schema/monkey.py index 92a5bb828..dd10cb35b 100644 --- a/monkey/monkey_island/cc/services/config_schema/monkey.py +++ b/monkey/monkey_island/cc/services/config_schema/monkey.py @@ -67,8 +67,7 @@ MONKEY = { "HiddenFiles", "TrapCommand", "ChangeSetuidSetgid", - "ScheduleJobs", - "ClearCommandHistory" + "ScheduleJobs" ] }, } diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js index d1c9c01ae..4bb420f71 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/security/PostBreachParser.js @@ -56,7 +56,7 @@ function aggregateMultipleResultsPba(results) { return results; // if modifications were made, push aggregated results to `results` and return - results = results.filter(result => result.name !== SHELL_STARTUP_NAME && result.name !== CMD_HISTORY_NAME); + results = results.filter(result => !multipleResultsPbas.includes(result.name)); multipleResultsPbas.forEach(pba => checkAggregatedResults(pba)); return results; } From 144e314edcc8793307b5515d0243120b6850d71e Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 27 Aug 2020 10:16:58 +0530 Subject: [PATCH 4/4] Tiny fix to work on Windows --- .../post_breach/actions/clear_command_history.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/monkey/infection_monkey/post_breach/actions/clear_command_history.py b/monkey/infection_monkey/post_breach/actions/clear_command_history.py index e2286c8ab..afd26996f 100644 --- a/monkey/infection_monkey/post_breach/actions/clear_command_history.py +++ b/monkey/infection_monkey/post_breach/actions/clear_command_history.py @@ -13,7 +13,8 @@ class ClearCommandHistory(PBA): def run(self): results = [pba.run() for pba in self.clear_command_history_PBA_list()] - PostBreachTelem(self, results).send() + if results: + PostBreachTelem(self, results).send() def clear_command_history_PBA_list(self): return self.CommandHistoryPBAGenerator().get_clear_command_history_pbas()