From ac11d159feb75bc7e2ed9bf9ec3e6c3ab2e00e79 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 6 Oct 2022 16:03:15 +0200 Subject: [PATCH] Agent: Revise Powershell publishing of events --- monkey/infection_monkey/exploit/powershell.py | 37 +++++++++++-------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/monkey/infection_monkey/exploit/powershell.py b/monkey/infection_monkey/exploit/powershell.py index a4b2a66a8..ff1e6d785 100644 --- a/monkey/infection_monkey/exploit/powershell.py +++ b/monkey/infection_monkey/exploit/powershell.py @@ -1,5 +1,6 @@ import logging from pathlib import Path, PurePath +from time import time from typing import List, Optional from common import OperatingSystem @@ -27,12 +28,6 @@ from infection_monkey.utils.threading import interruptible_iter logger = logging.getLogger(__name__) POWERSHELL_EXPLOITER_TAG = "powershell-exploiter" -EXPLOITER_TAGS = (POWERSHELL_EXPLOITER_TAG, T1059_ATTACK_TECHNIQUE_TAG, T1110_ATTACK_TECHNIQUE_TAG) -PROPAGATION_TAGS = ( - POWERSHELL_EXPLOITER_TAG, - T1059_ATTACK_TECHNIQUE_TAG, - T1105_ATTACK_TECHNIQUE_TAG, -) class RemoteAgentCopyError(Exception): @@ -46,6 +41,17 @@ class RemoteAgentExecutionError(Exception): class PowerShellExploiter(HostExploiter): _EXPLOITED_SERVICE = "PowerShell Remoting (WinRM)" + _EXPLOITER_TAGS = ( + POWERSHELL_EXPLOITER_TAG, + T1059_ATTACK_TECHNIQUE_TAG, + T1110_ATTACK_TECHNIQUE_TAG, + ) + _PROPAGATION_TAGS = ( + POWERSHELL_EXPLOITER_TAG, + T1059_ATTACK_TECHNIQUE_TAG, + T1105_ATTACK_TECHNIQUE_TAG, + ) + def __init__(self): super().__init__() self._client = None @@ -80,16 +86,19 @@ class PowerShellExploiter(HostExploiter): ) return self.exploit_result + timestamp = time() try: self._execute_monkey_agent_on_victim() - except Exception as ex: - self._publish_propagation_event(self.host.ip_addr, False, PROPAGATION_TAGS, str(ex)) - logger.error(f"Failed to propagate to the remote host: {ex}") - self.exploit_result.error_message = str(ex) + except Exception as err: + self.exploit_result.error_message = f"Failed to propagate to the remote host: {err}" + self._publish_propagation_event( + time=timestamp, success=False, error_message=self.exploit_result.error_message + ) + logger.error(self.exploit_result.error_message) return self.exploit_result self.exploit_result.propagation_success = True - self._publish_propagation_event(self.host.ip_addr, True, PROPAGATION_TAGS) + self._publish_propagation_event(timestamp, True) return self.exploit_result @@ -116,7 +125,7 @@ class PowerShellExploiter(HostExploiter): f"{creds.username}, Secret Type: {creds.secret_type.name}" ) - self._publish_exploitation_event(self.host.ip_addr, True, EXPLOITER_TAGS) + self._publish_exploitation_event(success=True) self.exploit_result.exploitation_success = True self._report_login_attempt(True, creds) @@ -127,9 +136,7 @@ class PowerShellExploiter(HostExploiter): f"{creds.username}, SecretType: {creds.secret_type.name} -- Error: {ex}" ) logger.debug(error_message) - self._publish_exploitation_event( - self.host.ip_addr, False, EXPLOITER_TAGS, error_message - ) + self._publish_exploitation_event(success=False, error_message=error_message) self._report_login_attempt(False, creds) return None