Add T1156 and T1504 attack techniques (shell startup file modifications) #687

shreyamalviya · 2020-06-13T14:49:37Z

Fixes #682 and fixes #686

T1156 and T1504 both aim at modifying shell startup files

~~TODO: Add technique for windows i.e. T1504 (modification of PowerShell profile)~~

ShayNehmad

Added a question in there. Also, what's the testing status? Have you tested this on Windows and Linux?

ShayNehmad · 2020-06-15T13:10:09Z

monkey/infection_monkey/utils/linux/shell_startup_files_modification.py

+BASH_STARTUP_FILES = ["~/.bashrc", "~/.profile", "~/.bash_profile"]
+
+
+def get_linux_commands_to_modify_shell_startup_files():
+    return [
+        'echo \"# Succesfully modified {0}\"',
+        '3<{0} 3<&- |',  # check for existence of file
+        'tee -a',  # append to file
+        '{0}',
+        '&&',
+        'sed -i \'$d\' {0}',  # remove last line of file
+    ],\
+    BASH_STARTUP_FILES


This will work in case the user is using bash, but what if the default shell is different (zsh etc.)

The command will work but we'll have to add the startup file names for the other shells to BASH_STARTUP_FILES, then

@ShayNehmad Any reason to actually support all the shells?
sh, bash, dash. Those are standard?

@acepace If it's not difficult (adding paths of zsh, fish, dash, sh... ksh and tcsh maybe) then yeah, but if it requires a lot of research and testing (and not only adding paths to the STARTUP_FILES const) then it's not worth it.
@shreyamalviya your call :)

@ShayNehmad @acepace it just requires adding the paths to the STARTUP_FILES constant but would it be a good idea to include other shells, given that the name of the technique is .bashrc and .bashprofile?

Maybe we could just exclude the info about the other shells from the ATT&CK report?

I like your last sentence.

shreyamalviya · 2020-06-15T13:33:31Z

Yep, tested on both!

monkey/infection_monkey/post_breach/actions/modify_shell_startup_files.py

monkey/infection_monkey/utils/linux/shell_startup_files_modification.py

monkey/infection_monkey/utils/shell_startup_files_modification.py

monkey/infection_monkey/utils/windows/shell_startup_files_modification.py

VakarisZ

Good job! But design can still be improved by splitting classes and methods into different level's of abstraction:
ModifyShellStartupFiles should get a list of ModifyShellStartupFile PBA objects and run it. No more.
ShellStartupPBAgenerator should create a list of ModifyShellStartupFile PBA objects. No more.
ModifyShellStartupFile PBA object should run a corresponding command, based on os. If windows command is empty and it's running on windows, it should do nothing.

acepace · 2020-06-17T08:46:32Z

...infection_monkey/post_breach/shell_startup_files/windows/shell_startup_files_modification.py

+SHELL_STARTUP_FILE = '$Profile'
+
+
+def get_windows_commands_to_modify_shell_startup_files():


Why are we doing this through powershell commands rather than opening the file in python?

I guess this was taken from atomic red team, where scripts are in powershell

Should I change it to open it in python itself?

monkey/monkey_island/cc/services/attack/technique_reports/T1156.py

acepace · 2020-06-17T08:47:53Z

It's not clear to me where is the part where we're touching all users startup files rather than current user.
By doing this only for the current user, which may be root or a service user, we're unlikely to make a large impact.

codecov · 2020-06-23T08:05:50Z

Codecov Report

Merging #687 into develop will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop     #687   +/-   ##
========================================
  Coverage    58.05%   58.06%           
========================================
  Files          138      139    +1     
  Lines         4482     4483    +1     
========================================
+ Hits          2602     2603    +1     
  Misses        1880     1880

Impacted Files	Coverage Δ
monkey/monkey_island/cc/services/config_schema.py	`100.00% <ø> (ø)`
monkey/__init__.py	`100.00% <0.00%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0ec5259...53e6f89. Read the comment docs.

ShayNehmad

Let's merge :) I'm OK with powershell commands instead of Python

Add to `attack_schema.py`, `attack_report.py` Add report `T1504.js`

Shows it twice in ATT&CK matrix in the configuration, but shows it only once in the ATT&CK matrix in the report section.

TODO: ATT&CK report stuff (mongo search + show only bash file modification info) TODO: Windows

(For linux, shows only bash startup files in ATT&CK report)

(Accidentally force-pushed over the previous commit changing this)

shreyamalviya force-pushed the T1156 branch from 1b7a5d8 to 4df7a9d Compare June 15, 2020 12:22

shreyamalviya marked this pull request as ready for review June 15, 2020 13:06

ShayNehmad suggested changes Jun 15, 2020

View reviewed changes