Fix fake user addition to the config because of Mimikatz#1902
Conversation
before adding to the config since we don't want to add users created by the Monkey
…g because of Mimikatz
Codecov Report
@@ Coverage Diff @@
## develop #1902 +/- ##
========================================
Coverage 54.93% 54.94%
========================================
Files 446 447 +1
Lines 12624 12626 +2
========================================
+ Hits 6935 6937 +2
Misses 5689 5689
Continue to review full report at Codecov.
|
| @@ -0,0 +1 @@ | |||
| USERNAME_PREFIX = "somenewuser" | |||
There was a problem hiding this comment.
I don't think it's worth creating a new file just for this. I suppose mimikatz credential collector should just import from PBA, since that's the source of users we don't want to add.
There was a problem hiding this comment.
Don't couple the mimikatz collector to the PBAs!
|
|
||
| # Mimikatz picks up users created by the Monkey even if they're successfully deleted | ||
| # since it picks up creds from the registry. The newly created users are not removed | ||
| # from the registry until a reboot of the system, hence this check. |
There was a problem hiding this comment.
Have you checked? We need to make sure these users aren't left there forever
mssalvatore
left a comment
There was a problem hiding this comment.
I'm concerned about the coupling this introduces between the PBAs and CredentialsCollectors. We may not be able to properly solve this issue without some more infrastructure in place. Ideally, both the PBA and the MimikatzCollector would be configurable so that the user can configure which users MimikatzCollector ignores.
At this time, I don't know that this issue is a significant enough nuisance to warrant coupling the PBAs and the CredentialsCollectors.
This const is used by PBA and mimikatz collectors as describes the username prefix for users created by IM
What does this PR do?
Fixes #1860
PR Checklist
Was the documentation framework updated to reflect the changes?Have you checked that you haven't introduced any duplicate code?Testing Checklist
Added relevant unit tests?If applicable, add screenshots or log transcripts of the feature working