Merge pull request #1824 from guardicore/1604-itelemetrymessenger-in-pbas

Telemetry messenger in PBAs
This commit is contained in:
Mike Salvatore 2022-03-29 11:31:42 -04:00 committed by GitHub
commit cf211bc46f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 118 additions and 53 deletions

View File

@ -248,26 +248,56 @@ class InfectionMonkey:
) )
puppet.load_plugin( puppet.load_plugin(
"CommunicateAsBackdoorUser", CommunicateAsBackdoorUser, PluginType.POST_BREACH_ACTION "CommunicateAsBackdoorUser",
CommunicateAsBackdoorUser(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
) )
puppet.load_plugin( puppet.load_plugin(
"ModifyShellStartupFiles", ModifyShellStartupFiles, PluginType.POST_BREACH_ACTION "ModifyShellStartupFiles",
) ModifyShellStartupFiles(self.telemetry_messenger),
puppet.load_plugin("HiddenFiles", HiddenFiles, PluginType.POST_BREACH_ACTION) PluginType.POST_BREACH_ACTION,
puppet.load_plugin("TrapCommand", CommunicateAsBackdoorUser, PluginType.POST_BREACH_ACTION)
puppet.load_plugin("ChangeSetuidSetgid", ChangeSetuidSetgid, PluginType.POST_BREACH_ACTION)
puppet.load_plugin("ScheduleJobs", ScheduleJobs, PluginType.POST_BREACH_ACTION)
puppet.load_plugin("Timestomping", Timestomping, PluginType.POST_BREACH_ACTION)
puppet.load_plugin("AccountDiscovery", AccountDiscovery, PluginType.POST_BREACH_ACTION)
puppet.load_plugin(
"ProcessListCollection", ProcessListCollection, PluginType.POST_BREACH_ACTION
)
puppet.load_plugin("TrapCommand", TrapCommand, PluginType.POST_BREACH_ACTION)
puppet.load_plugin(
"SignedScriptProxyExecution", SignedScriptProxyExecution, PluginType.POST_BREACH_ACTION
) )
puppet.load_plugin( puppet.load_plugin(
"ClearCommandHistory", ClearCommandHistory, PluginType.POST_BREACH_ACTION "HiddenFiles", HiddenFiles(self.telemetry_messenger), PluginType.POST_BREACH_ACTION
)
puppet.load_plugin(
"TrapCommand",
CommunicateAsBackdoorUser(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
)
puppet.load_plugin(
"ChangeSetuidSetgid",
ChangeSetuidSetgid(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
)
puppet.load_plugin(
"ScheduleJobs", ScheduleJobs(self.telemetry_messenger), PluginType.POST_BREACH_ACTION
)
puppet.load_plugin(
"Timestomping", Timestomping(self.telemetry_messenger), PluginType.POST_BREACH_ACTION
)
puppet.load_plugin(
"AccountDiscovery",
AccountDiscovery(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
)
puppet.load_plugin(
"ProcessListCollection",
ProcessListCollection(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
)
puppet.load_plugin(
"TrapCommand", TrapCommand(self.telemetry_messenger), PluginType.POST_BREACH_ACTION
)
puppet.load_plugin(
"SignedScriptProxyExecution",
SignedScriptProxyExecution(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
)
puppet.load_plugin(
"ClearCommandHistory",
ClearCommandHistory(self.telemetry_messenger),
PluginType.POST_BREACH_ACTION,
) )
puppet.load_plugin("ransomware", RansomwarePayload(), PluginType.PAYLOAD) puppet.load_plugin("ransomware", RansomwarePayload(), PluginType.PAYLOAD)

View File

@ -3,11 +3,12 @@ from infection_monkey.post_breach.pba import PBA
from infection_monkey.post_breach.setuid_setgid.setuid_setgid import ( from infection_monkey.post_breach.setuid_setgid.setuid_setgid import (
get_commands_to_change_setuid_setgid, get_commands_to_change_setuid_setgid,
) )
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class ChangeSetuidSetgid(PBA): class ChangeSetuidSetgid(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
linux_cmds = get_commands_to_change_setuid_setgid() linux_cmds = get_commands_to_change_setuid_setgid()
super(ChangeSetuidSetgid, self).__init__( super(ChangeSetuidSetgid, self).__init__(
POST_BREACH_SETUID_SETGID, linux_cmd=" ".join(linux_cmds) telemetry_messenger, POST_BREACH_SETUID_SETGID, linux_cmd=" ".join(linux_cmds)
) )

View File

@ -6,20 +6,21 @@ from infection_monkey.post_breach.clear_command_history.clear_command_history im
get_commands_to_clear_command_history, get_commands_to_clear_command_history,
) )
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class ClearCommandHistory(PBA): class ClearCommandHistory(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
super().__init__(name=POST_BREACH_CLEAR_CMD_HISTORY) super().__init__(telemetry_messenger, name=POST_BREACH_CLEAR_CMD_HISTORY)
def run(self): def run(self):
results = [pba.run() for pba in self.clear_command_history_PBA_list()] results = [pba.run() for pba in self.clear_command_history_pba_list()]
if results: if results:
# `self.command` is empty here # `self.command` is empty here
self.pba_data.append(PostBreachData(self.name, self.command, results)) self.pba_data.append(PostBreachData(self.name, self.command, results))
return self.pba_data return self.pba_data
def clear_command_history_PBA_list(self): def clear_command_history_pba_list(self):
return self.CommandHistoryPBAGenerator().get_clear_command_history_pbas() return self.CommandHistoryPBAGenerator().get_clear_command_history_pbas()
class CommandHistoryPBAGenerator: class CommandHistoryPBAGenerator:

View File

@ -5,6 +5,7 @@ import psutil
from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION from common.common_consts.post_breach_consts import POST_BREACH_PROCESS_LIST_COLLECTION
from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.i_puppet.i_puppet import PostBreachData
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -17,8 +18,8 @@ except NameError:
class ProcessListCollection(PBA): class ProcessListCollection(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
super().__init__(POST_BREACH_PROCESS_LIST_COLLECTION) super().__init__(telemetry_messenger, POST_BREACH_PROCESS_LIST_COLLECTION)
def run(self): def run(self):
""" """

View File

@ -7,6 +7,7 @@ import subprocess
from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER from common.common_consts.post_breach_consts import POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.i_puppet.i_puppet import PostBreachData
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.utils.auto_new_user_factory import create_auto_new_user from infection_monkey.utils.auto_new_user_factory import create_auto_new_user
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
from infection_monkey.utils.new_user_error import NewUserError from infection_monkey.utils.new_user_error import NewUserError
@ -33,9 +34,9 @@ class CommunicateAsBackdoorUser(PBA):
are created. are created.
""" """
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
super(CommunicateAsBackdoorUser, self).__init__( super(CommunicateAsBackdoorUser, self).__init__(
name=POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER telemetry_messenger, name=POST_BREACH_COMMUNICATE_AS_BACKDOOR_USER
) )
def run(self): def run(self):

View File

@ -3,11 +3,15 @@ from infection_monkey.post_breach.account_discovery.account_discovery import (
get_commands_to_discover_accounts, get_commands_to_discover_accounts,
) )
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class AccountDiscovery(PBA): class AccountDiscovery(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
linux_cmds, windows_cmds = get_commands_to_discover_accounts() linux_cmds, windows_cmds = get_commands_to_discover_accounts()
super().__init__( super().__init__(
POST_BREACH_ACCOUNT_DISCOVERY, linux_cmd=" ".join(linux_cmds), windows_cmd=windows_cmds telemetry_messenger,
POST_BREACH_ACCOUNT_DISCOVERY,
linux_cmd=" ".join(linux_cmds),
windows_cmd=windows_cmds,
) )

View File

@ -1,6 +1,7 @@
from common.common_consts.post_breach_consts import POST_BREACH_HIDDEN_FILES from common.common_consts.post_breach_consts import POST_BREACH_HIDDEN_FILES
from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.i_puppet.i_puppet import PostBreachData
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
from infection_monkey.utils.hidden_files import ( from infection_monkey.utils.hidden_files import (
cleanup_hidden_files, cleanup_hidden_files,
@ -17,8 +18,8 @@ class HiddenFiles(PBA):
This PBA attempts to create hidden files and folders. This PBA attempts to create hidden files and folders.
""" """
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
super(HiddenFiles, self).__init__(name=POST_BREACH_HIDDEN_FILES) super(HiddenFiles, self).__init__(telemetry_messenger, name=POST_BREACH_HIDDEN_FILES)
def run(self): def run(self):
# create hidden files and folders # create hidden files and folders

View File

@ -6,6 +6,7 @@ from infection_monkey.post_breach.pba import PBA
from infection_monkey.post_breach.shell_startup_files.shell_startup_files_modification import ( from infection_monkey.post_breach.shell_startup_files.shell_startup_files_modification import (
get_commands_to_modify_shell_startup_files, get_commands_to_modify_shell_startup_files,
) )
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class ModifyShellStartupFiles(PBA): class ModifyShellStartupFiles(PBA):
@ -15,8 +16,8 @@ class ModifyShellStartupFiles(PBA):
and profile.ps1 in windows. and profile.ps1 in windows.
""" """
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
super().__init__(name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION) super().__init__(telemetry_messenger, name=POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION)
def run(self): def run(self):
results = [pba.run() for pba in self.modify_shell_startup_PBA_list()] results = [pba.run() for pba in self.modify_shell_startup_PBA_list()]

View File

@ -4,6 +4,7 @@ from infection_monkey.post_breach.job_scheduling.job_scheduling import (
remove_scheduled_jobs, remove_scheduled_jobs,
) )
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class ScheduleJobs(PBA): class ScheduleJobs(PBA):
@ -11,10 +12,11 @@ class ScheduleJobs(PBA):
This PBA attempts to schedule jobs on the system. This PBA attempts to schedule jobs on the system.
""" """
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
linux_cmds, windows_cmds = get_commands_to_schedule_jobs() linux_cmds, windows_cmds = get_commands_to_schedule_jobs()
super(ScheduleJobs, self).__init__( super(ScheduleJobs, self).__init__(
telemetry_messenger,
name=POST_BREACH_JOB_SCHEDULING, name=POST_BREACH_JOB_SCHEDULING,
linux_cmd=" ".join(linux_cmds), linux_cmd=" ".join(linux_cmds),
windows_cmd=windows_cmds, windows_cmd=windows_cmds,

View File

@ -1,9 +1,15 @@
from common.common_consts.post_breach_consts import POST_BREACH_TIMESTOMPING from common.common_consts.post_breach_consts import POST_BREACH_TIMESTOMPING
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.post_breach.timestomping.timestomping import get_timestomping_commands from infection_monkey.post_breach.timestomping.timestomping import get_timestomping_commands
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class Timestomping(PBA): class Timestomping(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
linux_cmds, windows_cmds = get_timestomping_commands() linux_cmds, windows_cmds = get_timestomping_commands()
super().__init__(POST_BREACH_TIMESTOMPING, linux_cmd=linux_cmds, windows_cmd=windows_cmds) super().__init__(
telemetry_messenger,
POST_BREACH_TIMESTOMPING,
linux_cmd=linux_cmds,
windows_cmd=windows_cmds,
)

View File

@ -7,15 +7,20 @@ from infection_monkey.post_breach.signed_script_proxy.signed_script_proxy import
cleanup_changes, cleanup_changes,
get_commands_to_proxy_execution_using_signed_script, get_commands_to_proxy_execution_using_signed_script,
) )
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
class SignedScriptProxyExecution(PBA): class SignedScriptProxyExecution(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
windows_cmds = get_commands_to_proxy_execution_using_signed_script() windows_cmds = get_commands_to_proxy_execution_using_signed_script()
super().__init__(POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC, windows_cmd=" ".join(windows_cmds)) super().__init__(
telemetry_messenger,
POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC,
windows_cmd=" ".join(windows_cmds),
)
def run(self): def run(self):
original_comspec = "" original_comspec = ""

View File

@ -1,9 +1,12 @@
from common.common_consts.post_breach_consts import POST_BREACH_TRAP_COMMAND from common.common_consts.post_breach_consts import POST_BREACH_TRAP_COMMAND
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.post_breach.trap_command.trap_command import get_trap_commands from infection_monkey.post_breach.trap_command.trap_command import get_trap_commands
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
class TrapCommand(PBA): class TrapCommand(PBA):
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
linux_cmds = get_trap_commands() linux_cmds = get_trap_commands()
super(TrapCommand, self).__init__(POST_BREACH_TRAP_COMMAND, linux_cmd=" ".join(linux_cmds)) super(TrapCommand, self).__init__(
telemetry_messenger, POST_BREACH_TRAP_COMMAND, linux_cmd=" ".join(linux_cmds)
)

View File

@ -8,6 +8,7 @@ from infection_monkey.control import ControlClient
from infection_monkey.network.tools import get_interface_to_target from infection_monkey.network.tools import get_interface_to_target
from infection_monkey.post_breach.pba import PBA from infection_monkey.post_breach.pba import PBA
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
from infection_monkey.utils.monkey_dir import get_monkey_dir_path from infection_monkey.utils.monkey_dir import get_monkey_dir_path
@ -23,8 +24,8 @@ class UsersPBA(PBA):
Defines user's configured post breach action. Defines user's configured post breach action.
""" """
def __init__(self): def __init__(self, telemetry_messenger: ITelemetryMessenger):
super(UsersPBA, self).__init__(POST_BREACH_FILE_EXECUTION) super(UsersPBA, self).__init__(telemetry_messenger, POST_BREACH_FILE_EXECUTION)
self.filename = "" self.filename = ""
if not is_windows_os(): if not is_windows_os():
@ -65,8 +66,7 @@ class UsersPBA(PBA):
return True return True
return False return False
@staticmethod def download_pba_file(self, dst_dir, filename):
def download_pba_file(dst_dir, filename):
""" """
Handles post breach action file download Handles post breach action file download
:param dst_dir: Destination directory :param dst_dir: Destination directory
@ -84,12 +84,14 @@ class UsersPBA(PBA):
if not status: if not status:
status = ScanStatus.USED status = ScanStatus.USED
T1105Telem( self._telemetry_messenger.send_telemetry(
status, T1105Telem(
WormConfiguration.current_server.split(":")[0], status,
get_interface_to_target(WormConfiguration.current_server.split(":")[0]), WormConfiguration.current_server.split(":")[0],
filename, get_interface_to_target(WormConfiguration.current_server.split(":")[0]),
).send() filename,
)
)
if status == ScanStatus.SCANNED: if status == ScanStatus.SCANNED:
return False return False

View File

@ -5,6 +5,7 @@ from typing import Iterable
from common.utils.attack_utils import ScanStatus from common.utils.attack_utils import ScanStatus
from infection_monkey.i_puppet.i_puppet import PostBreachData from infection_monkey.i_puppet.i_puppet import PostBreachData
from infection_monkey.telemetry.attack.t1064_telem import T1064Telem from infection_monkey.telemetry.attack.t1064_telem import T1064Telem
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -16,7 +17,9 @@ class PBA:
machine. machine.
""" """
def __init__(self, name="unknown", linux_cmd="", windows_cmd=""): def __init__(
self, telemetry_messenger: ITelemetryMessenger, name="unknown", linux_cmd="", windows_cmd=""
):
""" """
:param name: Name of post breach action. :param name: Name of post breach action.
:param linux_cmd: Command that will be executed on breached machine :param linux_cmd: Command that will be executed on breached machine
@ -25,6 +28,7 @@ class PBA:
self.command = PBA.choose_command(linux_cmd, windows_cmd) self.command = PBA.choose_command(linux_cmd, windows_cmd)
self.name = name self.name = name
self.pba_data = [] self.pba_data = []
self.telemetry_messenger = telemetry_messenger
def run(self) -> Iterable[PostBreachData]: def run(self) -> Iterable[PostBreachData]:
""" """
@ -34,9 +38,12 @@ class PBA:
exec_funct = self._execute_default exec_funct = self._execute_default
result = exec_funct() result = exec_funct()
if self.scripts_were_used_successfully(result): if self.scripts_were_used_successfully(result):
T1064Telem( self.telemetry_messenger.send_telemetry(
ScanStatus.USED, f"Scripts were used to execute {self.name} post breach action." T1064Telem(
).send() ScanStatus.USED,
f"Scripts were used to execute {self.name} post breach action.",
)
)
self.pba_data.append(PostBreachData(self.name, self.command, result)) self.pba_data.append(PostBreachData(self.name, self.command, result))
return self.pba_data return self.pba_data
else: else: