Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timestomping PBA fails on Windows #1405

Closed
3 tasks
ilija-lazoroski opened this issue Aug 9, 2021 · 1 comment · Fixed by #1424
Closed
3 tasks

Timestomping PBA fails on Windows #1405

ilija-lazoroski opened this issue Aug 9, 2021 · 1 comment · Fixed by #1424
Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Complexity: Low Impact: High sp/3

Comments

@ilija-lazoroski
Copy link
Contributor

ilija-lazoroski commented Aug 9, 2021
edited by mssalvatore
Loading

Describe the bug

Timestomping post breach action fail on Windows machine (victim). Running the timestomping.ps1 script passes when run from source. It was tried both with 1.10.0 and 1.11.0 agent binaries.

Issue #1419 has the same root cause as this issue.

To Reproduce

Steps to reproduce the behavior:

  1. Run Monkey Island
  2. Configure to run just Timestomping PBA
  3. Check Security report for PBA explanation

Expected behavior

Timestomping should execute timestomping.ps1 script which create temp file and changes the time of the file.

Screenshots

image

Machine version (please complete the following information):

  • OS: Windows (victim)

Tasks

  • Add the powershell scripts to the list of binaries in the spec file and test. (0.25d) @mssalvatore
    • monkey/infection_monkey/post_breach/shell_startup_files/windows/modify_powershell_startup_file.ps1
    • monkey/infection_monkey/post_breach/timestomping/windows/timestomping.ps1
@ilija-lazoroski ilija-lazoroski added Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Impact: High Complexity: Medium labels Aug 9, 2021
@mssalvatore mssalvatore mentioned this issue Aug 18, 2021
Closed
@mssalvatore
Copy link
Collaborator

mssalvatore commented Aug 18, 2021
edited
Loading

Root cause

This is very likely caused by the requisite script being left out of the agent binary. The script probably needs to be added to:

monkey/monkey/infection_monkey/monkey.spec

Line 21 in dd390ff

datas=[("../common/BUILD", "/common")],

mssalvatore added a commit that referenced this issue Aug 23, 2021
@mssalvatore
Agent: Add pyinstaller hook for post_breach package
71c33c2 
Fixes #1405
Fixes #1419
mssalvatore added a commit that referenced this issue Aug 23, 2021
@mssalvatore
Update changelog with fixes for #1405 and #1419
342b568
@mssalvatore mssalvatore mentioned this issue Aug 23, 2021
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Complexity: Low Impact: High sp/3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Post breach pyinstaller hook guardicore/monkey
2 participants
@ilija-lazoroski @mssalvatore