WMI exploiter hangs #3543
Description
Describe the bug
It seems that the WMI exploiter can sometimes hang, resulting in agents that remain running even though their mission is complete. The agent must be stopped by clicking the "Kill All Monkeys" button on the Infection Map.
To Reproduce
Steps to reproduce the behavior:
- Use the test-2 environment
- Use v2.2.1
- import the attached monkey-config.txt
(GitHub won't allow a .conf file to be uploaded) monkey-config.txt. Config in the comment below - Run the agent from the Island
- After all propagation is complete, you'll notice that agents on some machines, such as tunneling-9 and credentials-reuse-14 never shut down.
- Click the "Kill All Monkeys" button
- Once all agents are shut down, you can download the agent logs and inspect them
2023-07-27 16:18:39,282 [3548:ScanThread-15:DEBUG] ip_scanner._scan_addresses.84: ips_to_scan queue is empty, scanning thread 139737029375744 exiting 2023-07-27 16:18:39,632 [3718:ExploiterThread-03:DEBUG] smb_remote_access_client._query_shares.134: Skipping share 'IPC$' on victim 10.2.2.14 because the share path is invalid 2023-07-27 16:18:39,632 [3718:ExploiterThread-03:DEBUG] smb_remote_access_client.copy_file.110: Clean destination: temp\monkey64-qvc9WE4F.exe 2023-07-27 16:18:40,019 [3548:ScanThread-04:INFO] tcp_scanner._check_tcp_ports.114: Discovered the following ports on 10.2.5.16: [] 2023-07-27 16:18:40,021 [3548:ScanThread-04:DEBUG] pypubsub_agent_event_queue._publish_event.55: Publishing a TCPScanEvent event to all_events_topic 2023-07-27 16:18:40,021 [3548:ScanThread-04:DEBUG] agent_event_forwarder.send_event.46: Adding event of type TCPScanEvent to the queue to send to the Island 2023-07-27 16:18:40,021 [3548:ScanThread-04:DEBUG] pypubsub_agent_event_queue._publish_event.55: Publishing a TCPScanEvent event to TCPScanEvent-type 2023-07-27 16:18:40,022 [3548:ScanThread-04:DEBUG] ip_scanner._scan_addresses.84: ips_to_scan queue is empty, scanning thread 139737230735104 exiting 2023-07-27 16:18:40,023 [3548:PropagatorScanThread:INFO] propagator._scan_network.110: Finished network scan 2023-07-27 16:18:40,464 [3718:ExploiterThread-03:INFO] smb_remote_access_client._copy_file_to_share.150: Copied monkey agent to remote share 'ADMIN$' [C:\Windows] on victim 10.2.2.14 ... 2023-07-27 16:18:40,789 [3548:PluginEventForwarder:DEBUG] pypubsub_agent_event_queue._publish_event.55: Publishing a PropagationEvent event to attack-t1569-tag 2023-07-27 16:18:40,858 [3548:ExploiterThread-01:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737599817472 -- stop.is_set(): False -- network_scan_completed: True 2023-07-27 16:18:41,699 [3548:ExploiterThread-02:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737583032064 -- stop.is_set(): False -- network_scan_completed: True 2023-07-27 16:18:41,905 [3548:ExploiterThread-04:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737213949696 -- stop.is_set(): False -- network_scan_completed: True 2023-07-27 16:18:41,907 [3548:ExploiterThread-05:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737197164288 -- stop.is_set(): False -- network_scan_completed: True 2023-07-27 16:18:41,912 [3548:ExploiterThread-06:DEBUG] exploiter._exploit_hosts_on_queue.104: Exiting exploiter thread -- Thread ID: 139737188771584 -- stop.is_set(): False -- network_scan_completed: True 2023-07-27 16:18:44,029 [3548:TCPConnectionHandler:DEBUG] tcp_connection_handler.run.43: New connection received from: ('10.2.1.10', 53734) Full Log
2023-07-27T16.18.22.620Z-tunneling-9.log
Notice that ExploiterThread-03 logs that a file was successfully copied, but no log messages from ExploiterThread-03 are received thereafter. In addition, every exploiter thread except 03 shuts down.
Tasks
- Fix it (0) @ilija-lazoroski