Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No files associated with Phishing initiated shell #38

Open
dvanbrug opened this issue Apr 27, 2024 · 1 comment
Open

No files associated with Phishing initiated shell #38

dvanbrug opened this issue Apr 27, 2024 · 1 comment
Assignees
@MitchellKiely

Comments

@dvanbrug
Copy link

dvanbrug commented Apr 27, 2024
edited
Loading

I have noticed that red shell sessions that are created as a result of phishing e-mails do not appear to have any files associated with them. This means they are undetectable by the Analyse action. Additionally, this means new red shells are not detectable by the Analyse action until they have run PrivilegeEscalate which then drops the associated file.

Here is how the session is set up as a result of phishing:

cage-challenge-4/CybORG/Simulator/Actions/ConcreteActions/PhishingEmail.py

Lines 95 to 112 in a001e7b

new_session = RedAbstractSession(
ident=None,
pid=None,
hostname=green_hostname,
username='user',
agent=red_agent_src,
parent=None,
session_type='RedAbstractSession'
)
state.add_session(new_session)
session_info = {
'hostid': green_hostname,
'session_id': new_session.ident,
'session_type': new_session.session_type,
'agent': new_session.agent}
# Add the session details to the successful Observation object
obs.add_session_info(**session_info)

And here is how it is set up as a result of the ExploitAction:

cage-challenge-4/CybORG/Simulator/Actions/ConcreteActions/ExploitActions/ExploitAction.py

Lines 230 to 260 in a001e7b

new_file = File(
name=f'cmd.{extension}',
path=path,
user=target_host.get_user(vuln_proc.user),
user_permissions=7,
density=0.9,
signed=False
)
target_host.files.append(new_file)
proc = Process(
pid=target_host.create_pid(),
process_name=new_file.name,
parent_pid=1,
path=new_file.path,
username=vuln_proc.user,
)
proc.connections.append(target_connection)
target_host.processes.append(proc)
is_sandbox = bool(vuln_proc.decoy_type & DecoyType.SANDBOXING_EXPLOIT)
new_session = Session(
ident=None,
hostname=target_host.hostname,
agent=self.agent,
username=vuln_proc.user,
session_type=session_type,
parent=self.session,
pid=proc.pid,
is_escalate_sandbox=is_sandbox
)
state.add_session(new_session)

Is this the intended behavior? If so, it would be helpful to highlight this difference in the documentation, maybe under the Analyse action information?

I understand this likely won't be addressed until after the competition ends, but wanted to check for addressing afterwards.

Thank you!
@cage-challenge
Copy link
Owner

Hi @dvanbrug, that is indeed the intended behavior. This feature was included to make it more difficult for the Blue agent to effectively respond to a Red agent. I'll edit the documentation to better reflect these changes after the challenge concludes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MitchellKiely MitchellKiely

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvanbrug @MitchellKiely @cage-challenge