Random executable left in agent dir #1864
Description
Describe the bug
A file named T1216_random_executable.exe appears in the directory where agent is ran even though no post breach actions were configured:
2022-04-06 09:08:57,227 [5212:CredentialCollectorThread:DEBUG] plugin_registry.get_plugin.39: Plugin 'SSHCollector' found
2022-04-06 09:08:57,228 [5212:PBAThread:DEBUG] automated_master._run_plugins.224: Found 0 post-breach action(s) to run
2022-04-06 09:08:57,229 [5212:CredentialCollectorThread:INFO] ssh_credential_collector.collect_credentials.21: Started scanning for SSH credentials
2022-04-06 09:08:57,229 [5212:PBAThread:INFO] automated_master._run_plugins.231: Finished running post-breach actions
2022-04-06 09:08:57,230 [5212:CredentialCollectorThread:DEBUG] ssh_handler.get_ssh_info.21: Skipping SSH credentials collection because the operating system is not Linux
This file might be included into the binary with pyinstaller and then unpacked during execution?
To Reproduce
Steps to reproduce the behavior:
- Enable the signed script proxy execution PBA
- Run the agent manually, via commandline (I did "monkey-windows-64.exe m0nk3y -s localhost:5000")
- See the executable
Machine version (please complete the following information):
- OS: Windows
Tasks
- Fix it (0d) - @mssalvatore