WMI exploiter hangs #3543
Description
Describe the bug
It seems that the WMI exploiter can sometimes hang, resulting in agents that remain running even though their mission is complete. The agent must be stopped by clicking the "Kill All Monkeys" button on the Infection Map.
To Reproduce
Steps to reproduce the behavior:
- Use the test-2 environment
- Use v2.2.1
- import the attached monkey-config.txt
(GitHub won't allow a .conf file to be uploaded) monkey-config.txt. Config in the comment below - Run the agent from the Island
- After all propagation is complete, you'll notice that agents on some machines, such as tunneling-9 and credentials-reuse-14 never shut down.
- Click the "Kill All Monkeys" button
- Once all agents are shut down, you can download the agent logs and inspect them
2023-07-27 16:18:39,282 [3548:ScanThread-15:DEBUG] ip_scanner._scan_addresses.84: ips_to_scan queue is empty, scanning thread 139737029375744 exiting
2023-07-27 16:18:39,632 [3718:ExploiterThread-03:DEBUG] smb_remote_access_client._query_shares.134: Skipping share 'IPC$' on victim 10.2.2.14 because the share path is invalid
2023-07-27 16:18:39,632 [3718:ExploiterThread-03:DEBUG] smb_remote_access_client.copy_file.110: Clean destination: temp\monkey64-qvc9WE4F.exe
2023-07-27 16:18:40,019 [3548:ScanThread-04:INFO] tcp_scanner._check_tcp_ports.114: Discovered the following ports on 10.2.5.16: []
2023-07-27 16:18:40,021 [3548:ScanThread-04:DEBUG] pypubsub_agent_event_queue._publish_event.55: Publishing a TCPScanEvent event to all_events_topic
2023-07-27 16:18:40,021 [3548:ScanThread-04:DEBUG] agent_event_forwarder.send_event.46: Adding event of type TCPScanEvent to the queue to send to the Island
2023-07-27 16:18:40,021 [3548:ScanThread-04:DEBUG] pypubsub_agent_event_queue._publish_event.55: Publishing a TCPScanEvent event to TCPScanEvent-type
2023-07-27 16:18:40,022 [3548:ScanThread-04:DEBUG] ip_scanner._scan_addresses.84: ips_to_scan queue is empty, scanning thread 139737230735104 exiting
2023-07-27 16:18:40,023 [3548:PropagatorScanThread:INFO] propagator._scan_network.110: Finished network scan
2023-07-27 16:18:40,464 [3718:ExploiterThread-03:INFO] smb_remote_access_client._copy_file_to_share.150: Copied monkey agent to remote share 'ADMIN$' [C:\Windows] on victim 10.2.2.14
...
2023-07-27 16:18:40,789 [3548:PluginEventForwarder:DEBUG] pypubsub_agent_event_queue._publish_event.55: Publishing a PropagationEvent event to attack-t1569-tag
2023-07-27 16:18:40,858 [3548:ExploiterThread-01:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737599817472 -- stop.is_set(): False -- network_scan_completed: True
2023-07-27 16:18:41,699 [3548:ExploiterThread-02:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737583032064 -- stop.is_set(): False -- network_scan_completed: True
2023-07-27 16:18:41,905 [3548:ExploiterThread-04:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737213949696 -- stop.is_set(): False -- network_scan_completed: True
2023-07-27 16:18:41,907 [3548:ExploiterThread-05:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737197164288 -- stop.is_set(): False -- network_scan_completed: True
2023-07-27 16:18:41,912 [3548:ExploiterThread-06:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737188771584 -- stop.is_set(): False -- network_scan_completed: True
2023-07-27 16:18:44,029 [3548:TCPConnectionHandler:DEBUG] tcp_connection_handler.run.43: New connection received from: ('10.2.1.10', 53734)
Full Log
2023-07-27T16.18.22.620Z-tunneling-9.log
Notice that ExploiterThread-03 logs that a file was successfully copied, but no log messages from ExploiterThread-03 are received thereafter. In addition, every exploiter thread except 03 shuts down.
Tasks
- Fix it (0) @ilija-lazoroski