Infection Monkey - An open-source adversary emulation platform
This release is focused on adding high-value features to Infection Monkey.
Infection Monkey can now use RDP to propagate itself to Windows targets. According to The DFIR Report's 2022 Year in Review, 41.2% of lateral movement occurs via RDP. Infection Monkey users can now simulate this behavior in their environments and ensure they are prepared to detect and handle it.
A new cryptojacker payload has been added that performs cryptographic functions with the goal of consuming a configurable amount of CPU. It can also consume a configurable quantity of RAM, as well as simulate some bitcoin mining traffic.
Credentials can be stolen from Chrome-based browsers and used for lateral movement. On Windows hosts, credentials can be stolen from Chrome and Edge. On Linux hosts, credentials can be stolen from Chrome and Chromium.
Infection Monkey provides capabilities for exploitation/propagation, credentials stealing, and payloads via plugins. These plugins are now installable from a remote repository. This results in some highly impactful advantages for users.
PUT /api/install-agent-plugin
. #3417GET /api/agent-plugins/installed/manifests
. #3424GET /api/agent-plugins/available/index
. #3420POST /api/uninstall-agent-plugin
# 3422Welcome and thanks to our new contributors: @Akhil-Sharma30 @Mishrasubha
In Infection Monkey v2.2.0, a long-standing objective has been achieved: Windows users can now install the Infection Monkey Island without encountering warnings or errors from their antivirus solutions*. Additionally, the Infection Monkey Agents may also go undetected in some circumstances. Since Infection Monkey Agents behave similarly to malware, it is expected that host-based antivirus or EDR solutions may be triggered by certain behaviors.
Polymorphic and metamorphic malware modify each copy of themselves in order to evade signature-based detection mechanisms. This results in each copy of the malware having a unique hash. A new feature has been added that, if enabled, allows Infection Monkey Agents to emulate this property by including unique data within the each copy of the Agent binary.
A common way of detecting and identifying an executable as malware is to write a detection rule (such as for a tool like YARA) that checks for the existence of strings or unique byte sequences within a file. The newly-added Malware Masquerade feature allows users to specify strings (characters) or arbitrary data (bytes) that will be injected into the Agent binaries. This allows Infection Monkey Agents to masquerade as specific types of malware. This is particularly useful for anyone who writes their own detection rules and needs a way to test them, or anyone looking to improve the fidelity of malware simulations.
Credentials collectors can now be written as plugins** loaded by Infection Monkey at runtime. This flexibility will allow for the development and delivery of more credentials collection/theft techniques in the near future. . Furthermore, enhancements to the SSH credentials collector make it more adept at collecting SSH keys to be used for propagation.
Several bugs have been fixed, including a critical issue that caused agents spawned by the SMB exploiter to crash.
* Infection Monkey has been tested with various common antivirus/EDR solutions. While some solutions may still raise errors, our testing has not identified any specific issues. ** Please note that plugin interfaces are still considered experimental. They will be documented and made available to users in a future release.
PortScanData.open
property. #3238{GET,PUT} /api/agent-binaries/<string:os>/masque
. #3249AgentRegistrationData
. #3244EmailAddress
identity type. #3270Infection Monkey version 2.1.0 introduces security, user experience, and tech stack enhancements.
sudo docker pull infectionmonkey/monkey-island:latest
.GET /api/agent-otp
. #3076POST /api/agent-otp-login
endpoint. #3076POST /api/refresh-authentication-token
endpoint that allows refreshing of
the access token. #3181SystemSingleton
component, which could allow local users to
execute a DoS attack against agents. #2817flask-security-too
.
#2049, #2157, #3078, #3138Infection Monkey began as means of vulnerability assessment, producing recommendations for improving network security.
The new mission focuses on adversary emulation. Organizations employ many measures to maintain network security. The only way for them to know whether or not these measures are working, and their networks are safe, is by testing. The basic assumption should be: if itβs not tested- itβs broken.
Infection Monkey is malware you can control, designed to be safe for production environments. It provides safe testing by emulating adversariesβ attacks to ensure that the security measures employed by the organization are not broken and, indeed, provide the necessary level of security.
In summary, v2.0.0 of Infection Monkey constitutes a shift in focus from vulnerability scanning and breach & attack simulation to adversary emulation.
Infection Monkey is now faster and more reliable than ever before, as over 75 bugs were resolved. Notably, a longstanding issue that prevented Infection Monkey from stopping on command has been resolved. Thus, you can now ensure your networkβs safety, with greater confidence, speed, and control.
6 minor security weaknesses have been resolved as part of an effort to harden and secure Infection Monkey itself. Among these, we have upgraded some dependencies to newer, more secure versions.
We reduced feature bloating by removing outdated exploitation techniques, as well as some reporting and scanning features that do not support our new mission. The existing features are now more robust and intuitive, ensuring better testing and faster results.
We have redesigned the API to prepare to shift from private API to public API. Documentation will follow in the near future.
credentials.json
file for storing Monkey Island user login information. #1206GET /api/propagation-credentials/<string:guid>
endpoint for agents to
retrieve updated credentials from the Island. #1538GET /api/island/ip-addresses
endpoint to get IP addresses of the Island server
network interfaces. #1996POST /api/reset-agent-configuration
endpoint. #2036POST /api/clear-simulation-data
endpoint. #2036GET /api/registration-status
endpoint. #2149/api/island/version
. #2109{GET,POST} /api/agents
endpoint. #2362GET /api/agent-signals
endpoint. #2261GET /api/agent-logs/<uuid:agent_id>
endpoint. #2274GET /api/machines
endpoint. #2362{GET,POST} /api/agent-events
endpoints. #2405GET /api/nodes
endpoint. #2155, #2300, #2334GET /api/agent-plugins/<string:os>/<string:type>/<string:name>
endpoint. #2578, #2811GET /api/agent-configuration-schema
endpoint. #2710GET /api/agent-plugins/<string:type>/<string:name>/manifest
endpoint. #2786GET /api/agent-binaries/<string:os>
endpoint. #1675, #1978server_config.json
files to be simpler. #1576GET /api/monkey/download
to `GET /api/agent-binaries/string:os. #1675, #1978infection-monkey-agent-<TIMESTAMP>-<RANDOM_STRING>.log
. #1761/api/island-mode
to accept and return new "unset" mode. #2036/api/version-update
to api/island/version
. #2109/api/island-mode
to /api/island/mode
. #2106/api/log/island/download
endpoint to /api/island/log
. #2107/api/auth
endpoint to /api/authenticate
. #2105/api/registration
endpoint to /api/register
. #2105-s/--server
to -s/--servers
. #2216-s/--servers
accepts list a comma-separated list of servers. #2216/api/monkey-control/stop-all-agents
to POST /api/agent-signals/terminate-all-agents
. #2261GET /api/monkey/<string:guid>
endpoint. #1538GET /api/monkey_control/check_remote_port/<string:port>
endpoint. #1635/api/test/clear_caches
endpoint. #1888, #2092/api/monkey_control
endpoints. #1888, #2261/api/client-monkey
endpoint. #1889--config
argument. #906/api/configuration/import
endpoint. #2002/api/configuration/export
endpoint. #2002/api/island-configuration
endpoint. #2003-t/--tunnel
from agent command line arguments. #2216/api/monkey-control/needs-to-stop
. #2261GET /api/test/monkey
endpoint. #2269GET /api/test/log
endpoint. #2269GET /api/netmap
endpoints. #2334, #2453GET /api/zero-trust/finding-event/<string:finding_id>
endpoint. #2441
-"GET /api/report/zero-trust/<string:report_data>
endpoint. #2441/api/pba
endpoints. #2442GET /api/telemetry-feed
endpoint. #2502{GET,POST} /api/log
endpoint. #2485GET /api/local-monkey
endpoint. #2506/api/telemetry
endpoint. #2503/api/agent
endpoint. #2542/api/exploitations/manual
endpoint. #2509/api/island/ip-addresses
endpoint. #2565/tmp
. #1782/api/telemetry
endpoint allowed arbitrary queries to be submitted,
which could result in javascript execution. #2503Filename | Type | Version | SHA256 Hash |
---|---|---|---|
InfectionMonkey-v2.0.0.AppImage | Island | 2.0.0 | b40ffde3e55f2b2198e8f26c44a1beb33a84a0979764a47ffb5ce26f07f4fa8e |
InfectionMonkey-docker-v2.0.0.tgz | Island | 2.0.0 | fa75631d6fa6d6d5086d936077e8005b8b7f59626c78ca561de80470ce5d42f0 |
InfectionMonkey-v2.0.0.exe | Island | 2.0.0 | bbe670cec5c16fbfbec63719594830a52f9495899f96a06fd5c587c6390c3269 |
monkey-linux-64 | Agent | 2.0.0 | 07c8ed75f1a83ace2d018f4645b7a147c31075f41963a1d801e4e5133014189a |
monkey-windows-64 | Agent | 2.0.0 | 7d848e1cc4855b8476b27e81dfb01b4e38a2d0a421f80507b08a99ab7c71e4ea |
This release adds a new exploiter to the Infection Monkey, which exploits the Log4Shell vulnerability (CVE-2021-44228). To start downloading it while you read the release notes, go to the Infection Monkey website.
Filename | Type | Version | SHA256 Hash |
---|---|---|---|
InfectionMonkey-v1.13.0.AppImage | Island | 1.13.0 | cded4e8394a4d2a809ba9b74b924aea590317515b9b032ba8005a93dfce1c861 |
monkey-linux-32 | agent | 1.13.0 | 24c5779825f26c76a8910794836647096f4bb4b47cfd6ad213cc48116d140fab |
monkey-linux-64 | agent | 1.13.0 | f21e709cb7ba8daf90b908af5fe485ba43866c325d3c7ce1eb07e8a2323e07c1 |
monkey-windows-32 | agent | 1.13.0 | 7497907e3cf4ffeb121a7795bfa16709800e6e0f99770f64af7fff684ecba6d6 |
monkey-windows-64 | agent | 1.13.0 | 3edd20de2247047c8a822c84145981936ce2fd0bdf843eb5ca777ca4d2478b35 |
sc_monkey_runner32.so | sambacry | 68fd441c92f9d2c3201f7072eafbe9a4c56339139395daeba959836bd3f8b212 | |
sc_monkey_runner64.so | sambacry | 94e1d1ac64bfc4a63f590f8add21c10f26b2b0ffb6b69518ed2c53909c8faf18 |
This release enhances Infection Monkey's ransomware simulation capability by adding the ability to propagate via PowerShell remoting. It also provides numerous bug fixes, as well as UX and security improvements. To start downloading it while you read the release notes, go to the Infection Monkey website.
.bash_profile
and
.bashrc
" was not attempted when it actually was attempted but failed. #1511Welcome and thanks to our new contributors: @TRGamer-tech
Filename | Type | Version | SHA256 Hash |
---|---|---|---|
InfectionMonkey-v1.12.0.AppImage | island | 1.12.0 | 1325f2aa1d0c27aec2e2f9864ed53c53c524bd208313f87ea6606f59c90ff310 |
monkey-linux-32 | agent | 1.12.0 | d941943046db48cf0eb7f11e144a79749848ae6b50014833c5390936e829f6c3 |
monkey-linux-64 | agent | 1.12.0 | 1ad52eabd704a9b0fbf642fa552629f30d3c5c27e431a687bd4cba4e0104d3f7 |
monkey-windows-32 | agent | 1.12.0 | 3c10f610f47c4fd227cf85f6bf800d66ed31fe37dc2e2ed408860483685ba504 |
monkey-windows-64 | agent | 1.12.0 | 02e5e051a96e2ca61ae8e661b3a5828ee53a0fc00aca6502d5c73a46754f0d07 |
sc_monkey_runner32.so | sambacry | 68fd441c92f9d2c3201f7072eafbe9a4c56339139395daeba959836bd3f8b212 | |
sc_monkey_runner64.so | sambacry | 94e1d1ac64bfc4a63f590f8add21c10f26b2b0ffb6b69518ed2c53909c8faf18 |
This release introduces Infection Monkey's ransomware simulation capability. It also adds a number of security enhancements and configuration options. To start downloading it while you read the release notes, go to the Infection Monkey website.
log_level
option to server config. #1151mongo_key.bin
file location at runtime. #994tests/
directory to improve pytest collection time. #1102--run-performance-tests
flag is specified.server_config.json
into a separate section named "environment". #1161Welcome and thanks to our new contributors: @ilija-lazoroski @kur1mi @Vertrauensstellung
Filename | Type | Version | SHA256 Hash |
---|---|---|---|
Infection_Monkey-1.11.0-x86_64.AppImage | island | 1.11.0 | 6312b6bff18c11c7db694f42cf5a41e894786c39e3e093b6b15abcbff80337f2 |
monkey-linux-32 | agent | 1.11.0 | b0615fc0369bf6f0900e89acbc300cfe63bc754e4e3d50c2cba2dbdb2de8e511 |
monkey-linux-64 | agent | 1.11.0 | fb4c979ce6c29bb458be50a44cc6839650826b831da849da69a05dfefdc66462 |
monkey-windows-32 | agent | 1.11.0 | e006b26663f59b92bad8d49b034cd8101dd481f881e3c4839a9c1e64fd99e849 |
monkey-windows-64 | agent | 1.11.0 | 12c55377381a8fc7d8ff731db52302ef2f8bb894d8712769e5a91a140ba22b0a |
sc_monkey_runner32.so | sambacry | 68fd441c92f9d2c3201f7072eafbe9a4c56339139395daeba959836bd3f8b212 | |
sc_monkey_runner64.so | sambacry | 94e1d1ac64bfc4a63f590f8add21c10f26b2b0ffb6b69518ed2c53909c8faf18 | |
tracerouter32 | traceroute | c15a8a7612af31ff973d424c6473eb34e2ca66dddc6aef3067a1e9927e368f23 | |
traceroute64 | sambacry | 64d5c9c9b7c0aaf6447bd6fd439b87052fe72bba769c4de454bc1f817cffcad4 |
This release introduces exciting new features, performance improvements, and lots of bug fixes. To start downloading it while you read the release notes, go to the Infection Monkey website.
Infection Monkey can now exploit two new remote code execution vulnerabilities:
Scout Suite is an open-source cloud security-auditing tool. It queries the cloud API to gather configuration data. Based on the configuration data gathered, ScoutSuite shows security issues and risks present in your cloud infrastructure. Infection Monkey will run a ScoutSuite scan against your AWS environment and categorize any alerts according to the Zero Trust framework. #519
We're continuing to improve our MITRE ATT&CK capabilities. We've added four new ATT&CK techniques to Infection Monkey, for a total of 36!
We've updated our documentation for readability and consistency, as well as added swimm tutorials for developers.
local_run
endpoint #981Welcome and thanks to our new contributors:
Filename | Type | Version | SHA256 Hash |
---|---|---|---|
monkey-linux-32 | agent | 1.10.0 | a6de7d571051292b9db966afe025413dc20b214c4aab53e48d90d8e04264f4f5 |
monkey-linux-64 | agent | 1.10.0 | 932f703510b6484c3824fc797f90f99722e38a7f8956cf6fa58fdecb3790ab93 |
monkey-windows-32 | agent | 1.10.0 | 8e891e90b11b97fbbef27f1408c1fcad486b19c612773f2d6a9edac5d4cdb47f |
monkey-windows-64 | agent | 1.10.0 | 3b499a4cf1a67a33a91c73b05884e4d6749e990e444fa1d2a3281af4db833fa1 |
sc_monkey_runner32.so | sambacry | 68fd441c92f9d2c3201f7072eafbe9a4c56339139395daeba959836bd3f8b212 | |
sc_monkey_runner64.so | sambacry | 94e1d1ac64bfc4a63f590f8add21c10f26b2b0ffb6b69518ed2c53909c8faf18 | |
tracerouter32 | traceroute | c15a8a7612af31ff973d424c6473eb34e2ca66dddc6aef3067a1e9927e368f23 | |
traceroute64 | sambacry | 64d5c9c9b7c0aaf6447bd6fd439b87052fe72bba769c4de454bc1f817cffcad4 |
This is a BIG, exciting release, with a ton of new features and improvements. To start downloading it while you read the release notes, go to the Infection Monkey website.
We're continuing to improve our MITRE ATT&CK capabilities, with many new techniques added and a new report with more information.
We've added 8 new ATT&CK techniques to the Monkey, which brings our total coverage to 32!
setuid
and setgid
" attack technique (T1166) #702.bash_profile
and .bashrc
" attack technique (T1156) #682The new report added a new status to help you discern WHY a technique was or was not attempted, so you can optimise future Monkey executions. Here's how it looks:
In our effort to improve the user experience and make Monkey more accessible and useable we've revamped our entire Configuration screen! Easily control the credentials used in simulations, the target list the Monkey will scan, and which exploits the Monkey will attempt to use.
mimikatz
DLL with pypykatz
for better defence evasion (#471, #583) πββοΈMost AVs recognize and delete the Mimikatz
DLL or even disrupt the entire Monkey installation process on Windows. We've replaced Mimikatz
with pypykatz
and for now, it'll be much harder for endpoint protection software to stop the Monkey.
Due to the limited control and ease of use of the GitHub wiki, we've decided to move our documentation to a self-hosted solution based on Hugo.
The first time you launch Monkey Island (Infection Monkey CC server), you'll be prompted to create an account and secure your island. After your account is created, the server will only be accessible via the credentials you chose.
If you want Island to be accessible without credentials press I want anyone to access the island. Please note that this option is insecure: you should only pick this for use in development environments.
Read related documentation here.
We have a new integration with snyk.io, a service which checks our dependencies for vulnerabilities! So we've locked all our dependencies (#627) and updated lots of them as well:
Everything that was fixed in 1.8.2 and:
Welcome and thanks to our new contributors:
Filename | Type | Version | Hash |
---|---|---|---|
monkey-linux-32 | agent | 1.9.0 | 4c24318026239530ed2437bfef1a01147bb1f3479696eb4eee6009326ce6b380 |
monkey-linux-64 | agent | 1.9.0 | aec6b14dc2bea694eb01b517cca70477deeb695f39d40b1d9e5ce02a8075c956 |
monkey-windows-32 | agent | 1.9.0 | 67f12171c3859a21fc8f54c5b2299790985453e9ac028bb80efc7328927be3d8 |
monkey-windows-64 | agent | 1.9.0 | 24622cb8dbabb0cf4b25ecd3c13800c72ec5b59b76895b737ece509640d4c068 |