-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add credentials collectors explanation pages #4240
Add credentials collectors explanation pages #4240
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #4240 +/- ##
========================================
Coverage 77.07% 77.07%
========================================
Files 442 442
Lines 14135 14135
Branches 18 18
========================================
Hits 10895 10895
Misses 3240 3240 ☔ View full report in Codecov by Sentry. |
185c1c9
to
9f82c72
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all of these pages need more information. What is mimikatz? Why would we steal credentials from chrome? How likely are those credentials to be useful in propagation? What's the risk if and SSH key is stolen?
3fb3f21
to
ef7c703
Compare
ef7c703
to
e865dad
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks fantastic!
2427a2c
to
13948cd
Compare
I expanded the explanation of Credentials Collectors: I have two seemingly conflicting goals for this:
There may be a little bit too much detail about exploiters here, but I think it's important for users to understand how the stolen credentials are used. I think the solution would be to provide this information under Similarly, instead of explaining exploiters, I'd rather just use the term "Exploiter" and link to the relevant documentation, but the relevant documentation doesn't exist yet. I've also left a note in #4213. |
When an Infection Monkey Agent is started, it begins the reconnaissance phase | ||
of its attack. The first step in this phase is to use all enabled credentials | ||
collectors to steal credentials. Any stolen credentials are then sent to the | ||
Monkey Island, where they become immediately available for any Agent to use. | ||
|
||
After the reconnaissance phase, the Agent will begin the propagation phase and | ||
attempt to compromise other hosts on the network. Exploiters are Infection | ||
Monkey plugins that attempt to spread copies of the Agent throughout the | ||
network. Some exploiters can use the credentials stolen by credentials | ||
collectors to gain access to other systems on the network. First, the exploiter | ||
will query the Monkey Island to retrieve credentials that were configured by | ||
the user and any credentials that were stolen by credentials collectors. Next, | ||
the exploiters will use the stolen credentials to attempt to authenticate with | ||
a target system. If authentication is successful, the exploiter will execute | ||
the Agent on the target system, spreading the infection throughout the network. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still unsure if we should go into this much detail. I suggest we have a separate page explaining the different phases of execution which we could link to wherever required (probably each plugin type's explanation?). This isn't something that's specific to credentials collectors so it doesn't feel right to me here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'd like to put explanation on chapter pages. Reading large amounts of text that is center justified feels strange. This change does not modify the format of existing chapter pages. However, any <p> element after a <h2> element on a chapter page will now be formatted consistently with the rest of the documentation.
I wasn't able to find any links to information about "Windows Credential Manager" during a cursory web search. Maybe such a thing exists, but it's somewhat elusive. In addition, all of the descriptions (including our own) about Mimikatz describe it retrieving credentials "from memory." Therefore, this commit changes the description of the mimikatz collector to improve its accuracy.
85099ce
to
bf74c8f
Compare
What does this PR do?
Fixes #4212
PR Checklist
Testing Checklist