Add T1216 attack technique (signed script proxy execution) #776
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #776 +/- ##
===========================================
- Coverage 60.34% 60.33% -0.01%
===========================================
Files 161 162 +1
Lines 4902 4911 +9
===========================================
+ Hits 2958 2963 +5
- Misses 1944 1948 +4
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Some changes post including: The "Random executable" is problematic for quite a few reasons:
- You need to make sure pyinstaller picks it up and dumps it where you're expecting
- 5.9MB file really makes the agent 38.5% bigger which is very bad for propagating. We should find a smaller executable, and possibly choose to download it from the Island when this technique is executed instead of packaging this with Monkey by default.
- I think this technique should be configured OFF by default. Now that the report clearly indicates why techniques weren't executed this is not as problematic as it used to be.
monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py
Outdated
Show resolved
Hide resolved
| global ORIGINAL_COMSPEC | ||
| ORIGINAL_COMSPEC = subprocess.check_output('echo %COMSPEC%', shell=True).decode() # noqa: DUO116 | ||
| return [ | ||
| r'set comspec=infection_monkey\post_breach\signed_script_proxy\windows\random_executable.exe &&', |
There was a problem hiding this comment.
While this is Windows-only, I'd still prefer to use Pathlib to manipulate/create paths.
There was a problem hiding this comment.
What's random_executable.exe? How do we compile it? Where's it's source code?
There was a problem hiding this comment.
It's just a program that outputs "Successfully executed an arbitrary program with the help of a pre-existing signed script on Windows."
monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py
Outdated
Show resolved
Hide resolved
monkey/monkey_island/cc/services/attack/technique_reports/T1216.py
Outdated
Show resolved
Hide resolved
monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py
Outdated
Show resolved
Hide resolved
monkey/infection_monkey/post_breach/actions/use_signed_scripts.py
Outdated
Show resolved
Hide resolved
monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py
Outdated
Show resolved
Hide resolved
| showPagination={false} | ||
| defaultPageSize={this.props.data.info.length} | ||
| /> : ''} | ||
| <MitigationsComponent mitigations={this.props.data.mitigations}/> |
There was a problem hiding this comment.
Off topic, but maybe we should only display mitigations if the technique was used?
There was a problem hiding this comment.
Yeah that's how it is right now, but now that you mention it, maybe it's a good idea to show it even otherwise? It's informative.
There was a problem hiding this comment.
Here's a suggestion. Have the mitigations component expandable. It should be open by default on used/attempted techniques and closed on the grey ones.
cc54877 to
163b816
Compare
- smaller executable file; fetches it from the island when pba needs to run - technique configured off by default - other implementation changes
- smaller executable file; fetches it from the island when pba needs to run - technique configured off by default - other implementation changes
359772f to
028b7b7
Compare
- smaller executable file; fetches it from the island when pba needs to run - technique configured off by default - other implementation changes
| showPagination={false} | ||
| defaultPageSize={this.props.data.info.length} | ||
| /> : ''} | ||
| <MitigationsComponent mitigations={this.props.data.mitigations}/> |
There was a problem hiding this comment.
Here's a suggestion. Have the mitigations component expandable. It should be open by default on used/attempted techniques and closed on the grey ones.
Fixes #703