From 5948537d4a40e2921d43e10eba972bd1caea35c2 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Tue, 4 Oct 2022 15:59:58 +0200 Subject: [PATCH] Agent: Add tags to SSHExploiter --- monkey/infection_monkey/exploit/sshexec.py | 77 ++++++++++++++-------- 1 file changed, 49 insertions(+), 28 deletions(-) diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index ed0ee5124..600a8c2e3 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -30,6 +30,11 @@ SSH_EXEC_TIMEOUT = LONG_REQUEST_TIMEOUT SSH_CHANNEL_TIMEOUT = MEDIUM_REQUEST_TIMEOUT TRANSFER_UPDATE_RATE = 15 +SSH_EXPLOITER_TAG = "ssh-exploiter" +T1105_ATTACK_TECHNIQUE_TAG = "attack-t1105" +T1110_ATTACK_TECHNIQUE_TAG = "attack-t1110" +T1222_ATTACK_TECHNIQUE_TAG = "attack-t1222" +T1021_ATTACK_TECHNIQUE_TAG = "attack-t1021" class SSHExploiter(HostExploiter): @@ -86,12 +91,28 @@ class SSHExploiter(HostExploiter): ) self.add_vuln_port(port) self.exploit_result.exploitation_success = True + self._publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=True, + tags=( + SSH_EXPLOITER_TAG, + T1110_ATTACK_TECHNIQUE_TAG, + T1021_ATTACK_TECHNIQUE_TAG, + ), + ) self.report_login_attempt(True, user, ssh_key=ssh_string) return ssh except paramiko.AuthenticationException as err: ssh.close() - logger.info( - f"Failed logging into victim {self.host} with {ssh_string} private key: {err}", + error_message = ( + f"Failed logging into victim {self.host} with {ssh_string} private key: {err}" + ) + logger.info(error_message) + self._publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=False, + error_message=error_message, + tags=(SSH_EXPLOITER_TAG,), ) self.report_login_attempt(False, user, ssh_key=ssh_string) continue @@ -131,15 +152,26 @@ class SSHExploiter(HostExploiter): logger.debug("Successfully logged in %r using SSH. User: %s", self.host, user) self.add_vuln_port(port) self.exploit_result.exploitation_success = True + self._publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=True, + tags=( + SSH_EXPLOITER_TAG, + T1110_ATTACK_TECHNIQUE_TAG, + T1021_ATTACK_TECHNIQUE_TAG, + ), + ) self.report_login_attempt(True, user, current_password) return ssh except paramiko.AuthenticationException as err: - logger.debug( - "Failed logging into victim %r with user" " %s: (%s)", - self.host, - user, - err, + error_message = f"Failed logging into victim {self.host} with user: {user}: {err}" + logger.debug(error_message) + self._publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=False, + error_message=error_message, + tags=(SSH_EXPLOITER_TAG,), ) self.report_login_attempt(False, user, current_password) ssh.close() @@ -159,7 +191,12 @@ class SSHExploiter(HostExploiter): is_open, _ = check_tcp_port(self.host.ip_addr, port) if not is_open: self.exploit_result.error_message = f"SSH port is closed on {self.host}, skipping" - + self._publish_exploitation_event( + target=self.host.ip_addr, + exploitation_success=False, + error_message=self.exploit_result.error_message, + tags=(SSH_EXPLOITER_TAG,), + ) logger.info(self.exploit_result.error_message) return self.exploit_result @@ -188,23 +225,12 @@ class SSHExploiter(HostExploiter): self.exploit_result.error_message = f"SSH Skipping unknown os: {uname_os}" if not uname_os: - self._publish_propagation_event( - target=self.host.ip_addr, - propagation_success=False, - error_message=self.exploit_result.error_message, - ) - logger.error(self.exploit_result.error_message) return self.exploit_result except Exception as exc: self.exploit_result.error_message = ( f"Error running uname os command on victim {self.host}: ({exc})" ) - self._publish_propagation_event( - target=self.host.ip_addr, - propagation_success=False, - error_message=self.exploit_result.error_message, - ) logger.error(self.exploit_result.error_message) return self.exploit_result @@ -222,6 +248,7 @@ class SSHExploiter(HostExploiter): target=self.host.ip_addr, propagation_success=False, error_message=self.exploit_result.error_message, + tags=(SSH_EXPLOITER_TAG,), ) logger.error(self.exploit_result.error_message) @@ -265,7 +292,7 @@ class SSHExploiter(HostExploiter): target=self.host.ip_addr, propagation_success=False, error_message=self.exploit_result.error_message, - tags=frozenset((T1105_ATTACK_TECHNIQUE_TAG,)), + tags=(SSH_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1222_ATTACK_TECHNIQUE_TAG), ) return self.exploit_result @@ -287,7 +314,7 @@ class SSHExploiter(HostExploiter): self._publish_propagation_event( target=self.host.ip_addr, propagation_success=True, - tags=frozenset((T1105_ATTACK_TECHNIQUE_TAG,)), + tags=(SSH_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1222_ATTACK_TECHNIQUE_TAG), ) ssh.close() @@ -303,7 +330,7 @@ class SSHExploiter(HostExploiter): target=self.host.ip_addr, propagation_success=False, error_message=self.exploit_result.error_message, - tags=frozenset((T1105_ATTACK_TECHNIQUE_TAG,)), + tags=(SSH_EXPLOITER_TAG, T1105_ATTACK_TECHNIQUE_TAG, T1222_ATTACK_TECHNIQUE_TAG), ) logger.error(self.exploit_result.error_message) @@ -320,9 +347,3 @@ class SSHExploiter(HostExploiter): self.host, ) ) - - self._publish_propagation_event( - target=self.host.ip_addr, - propagation_success=False, - tags=frozenset((T1222_ATTACK_TECHNIQUE_TAG,)), - )