From 76bbe62c3bee615e577a0d57ad13dd0677d4c234 Mon Sep 17 00:00:00 2001
From: Ilija Lazoroski <ilija.la@live.com>
Date: Mon, 15 Aug 2022 17:58:05 +0200
Subject: [PATCH] Agent: Modify Zerologon to publish CredentialsStolenEvent

---
 monkey/infection_monkey/exploit/zerologon.py | 28 ++++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/monkey/infection_monkey/exploit/zerologon.py b/monkey/infection_monkey/exploit/zerologon.py
index 276b0c529..36686a728 100644
--- a/monkey/infection_monkey/exploit/zerologon.py
+++ b/monkey/infection_monkey/exploit/zerologon.py
@@ -9,7 +9,8 @@ import os
 import re
 import tempfile
 from binascii import unhexlify
-from typing import Dict, List, Optional, Tuple
+from time import time
+from typing import Dict, List, Optional, Sequence, Tuple
 
 import impacket
 from impacket.dcerpc.v5 import epm, nrpc, rpcrt, transport
@@ -17,6 +18,8 @@ from impacket.dcerpc.v5.dtypes import NULL
 
 from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
 from common.credentials import Credentials, LMHash, NTHash, Username
+from common.events import CredentialsStolenEvent
+from infection_monkey.config import IGUID
 from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.tools.wmi_tools import WmiTools
 from infection_monkey.exploit.zerologon_utils.dump_secrets import DumpSecrets
@@ -284,14 +287,23 @@ class ZerologonExploiter(HostExploiter):
     def send_extracted_creds_as_credential_telemetry(
         self, user: str, lmhash: str, nthash: str
     ) -> None:
-        self.telemetry_messenger.send_telemetry(
-            CredentialsTelem(
-                [
-                    Credentials(Username(user), LMHash(lmhash)),
-                    Credentials(Username(user), NTHash(nthash)),
-                ]
-            )
+        extracted_credentials = [
+            Credentials(Username(user), LMHash(lmhash)),
+            Credentials(Username(user), NTHash(nthash)),
+        ]
+
+        self.telemetry_messenger.send_telemetry(CredentialsTelem(extracted_credentials))
+        self._publish_credentials_stolen_event(extracted_credentials)
+
+    def _publish_credentials_stolen_event(self, extracted_credentials: Sequence[Credentials]):
+        credentials_stolen_event = CredentialsStolenEvent(
+            source=IGUID,
+            target=None,
+            timestamp=time(),
+            tags=({"ZerologonCredentialsStolen"}),
+            stolen_credentials=extracted_credentials,
         )
+        self.event_queue.publish(credentials_stolen_event)
 
     def get_original_pwd_nthash(self, username: str, user_pwd_hashes: List[str]) -> str:
         if not self.save_HKLM_keys_locally(username, user_pwd_hashes):