search

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform
https://www.guardicore.com/infectionmonkey/
GNU General Public License v3.0
6.63k stars 773 forks source link

Windows agent is not deleted after completition #1763

Closed ilija-lazoroski closed 2 years ago

ilija-lazoroski commented 2 years ago

Describe the bug

When running the monkey agent on windows system, the agent is not deleted after the execution is finished. Possible cause is that we are using subprocess.Popen to launch a command that waits and then deletes the binary, but somewhere we exit the agent which kills the Popen execution and the agent is never deleted.

To Reproduce

Steps to reproduce the behavior:

  1. Run the Monkey Agent from executable
  2. Check if the executable is deleted

Expected behavior

The agent should be removed after execution.

Task

Screenshots

image

Machine version (please complete the following information):

mssalvatore commented 2 years ago

Using the at command or the schtasks command instead of the current implementation might resolve the issue and also be cleaner.

mssalvatore commented 2 years ago

[DeleteFileA](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-deletefilea) might be the best solution.

The DeleteFile function marks a file for deletion on close. Therefore, the file deletion does not occur until the last handle to the file is closed. Subsequent calls to CreateFile to open the file fail with ERROR_ACCESS_DENIED.

mssalvatore commented 2 years ago

Using start may be another option. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/start