Add credentials collectors explanation pages #4240
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #4240 +/- ##
========================================
Coverage 77.07% 77.07%
========================================
Files 442 442
Lines 14135 14135
Branches 18 18
========================================
Hits 10895 10895
Misses 3240 3240 ☔ View full report in Codecov by Sentry. |
shreyamalviya
force-pushed
the
4212-docs-credentials-collector-explanation
branch
from
185c1c9
to
9f82c72
Compare
shreyamalviya
force-pushed
the
4212-docs-credentials-collector-explanation
branch
from
3fb3f21
to
ef7c703
Compare
mssalvatore
force-pushed
the
4212-docs-credentials-collector-explanation
branch
from
ef7c703
to
e865dad
Compare
There was a problem hiding this comment.
This looks fantastic!
mssalvatore
force-pushed
the
4212-docs-credentials-collector-explanation
branch
from
2427a2c
to
13948cd
Compare
|
I expanded the explanation of Credentials Collectors:
I have two seemingly conflicting goals for this:
There may be a little bit too much detail about exploiters here, but I think it's important for users to understand how the stolen credentials are used. I think the solution would be to provide this information under Similarly, instead of explaining exploiters, I'd rather just use the term "Exploiter" and link to the relevant documentation, but the relevant documentation doesn't exist yet. I've also left a note in #4213. |
| When an Infection Monkey Agent is started, it begins the reconnaissance phase | ||
| of its attack. The first step in this phase is to use all enabled credentials | ||
| collectors to steal credentials. Any stolen credentials are then sent to the | ||
| Monkey Island, where they become immediately available for any Agent to use. | ||
|
|
||
| After the reconnaissance phase, the Agent will begin the propagation phase and | ||
| attempt to compromise other hosts on the network. Exploiters are Infection | ||
| Monkey plugins that attempt to spread copies of the Agent throughout the | ||
| network. Some exploiters can use the credentials stolen by credentials | ||
| collectors to gain access to other systems on the network. First, the exploiter | ||
| will query the Monkey Island to retrieve credentials that were configured by | ||
| the user and any credentials that were stolen by credentials collectors. Next, | ||
| the exploiters will use the stolen credentials to attempt to authenticate with | ||
| a target system. If authentication is successful, the exploiter will execute | ||
| the Agent on the target system, spreading the infection throughout the network. |
There was a problem hiding this comment.
I'm still unsure if we should go into this much detail. I suggest we have a separate page explaining the different phases of execution which we could link to wherever required (probably each plugin type's explanation?). This isn't something that's specific to credentials collectors so it doesn't feel right to me here.
There was a problem hiding this comment.
We'd like to put explanation on chapter pages. Reading large amounts of text that is center justified feels strange. This change does not modify the format of existing chapter pages. However, any <p> element after a <h2> element on a chapter page will now be formatted consistently with the rest of the documentation.
I wasn't able to find any links to information about "Windows Credential Manager" during a cursory web search. Maybe such a thing exists, but it's somewhat elusive. In addition, all of the descriptions (including our own) about Mimikatz describe it retrieving credentials "from memory." Therefore, this commit changes the description of the mimikatz collector to improve its accuracy.
mssalvatore
force-pushed
the
4212-docs-credentials-collector-explanation
branch
from
85099ce
to
bf74c8f
Compare
What does this PR do?
Fixes #4212
PR Checklist
Testing Checklist