Ransomware Simulation no ecnrypt files

Pr0xyBu6 commented 6 months ago

I need to know why Infection Monkey no encrypt files in the ransomware simulation, no matter that the configuration is fine, and an exploter run without problems.

To Reproduce

I have an instance of Infecntion Monkey in version 2.3.0, I configured the plugin based on the technical requirements described in the documentation.

Enable the payload.
Enter the location of the folder to be encrypted: C:\Users Documents.
Enable SBM Exploiter
Register the valid credentials of the local user of the computer to be simulated.
Execute from the island.

Attached is a log of the test.

Expected behavior

The report states that it managed to exploit the computer via SMB but was unable to encrypt the files, mainly office files.

Screenshots

Machine version (please complete the following information):

OS: Linux Ubuntu 22.04 server
OS: Windows 11 Target

Syslog Agent

2023-12-07T03.57.35.840Z-wazuhserver.log

Syslog Island

Island_log.txt

shreyamalviya commented 6 months ago

Hi, it seems like while the machine was exploited, propagation was unsuccessful. This can be seen in the logs as well as in the Infection Map (there's no arrow going back to the Island machine from the exploited machine).

The file copy wasn't successful, i.e. an Agent binary was not copied to the machine because of an access denial (check lines 144 to 161 in your Agent logs). That's why the ransomware simulation didn't run.

VakarisZ commented 6 months ago

It seems like Usuario is not an admin user and machine is not in a domain-joined network. There are a couple of possible fixes:

Try to make Usuario an admin account
Dissable UAC (tutorial here: https://help.pdq.com/hc/en-us/articles/220533007)

More information on why this is happening: https://github.com/fortra/impacket/issues/664

guardicore / monkey