Skip to content

Instantly share code, notes, and snippets.

@shreyamalviya
Created August 28, 2020 06:35
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save shreyamalviya/96ea77ba892e5a7432bcda11926d9329 to your computer and use it in GitHub Desktop.
Save shreyamalviya/96ea77ba892e5a7432bcda11926d9329 to your computer and use it in GitHub Desktop.
Infection Monkey, Google Summer of Code 2020

Infection Monkey, Google Summer of Code 2020

Organization: The Honeynet Project
Project site: Infection Monkey

What is Infection Monkey?

Infection Monkey is an open-source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self-propagate across on-premises/cloud-based data centers and finds their weaknesses, whose results it then reports to a centralized Monkey Island Command and Control server.

In simpler words, Infection Monkey allows you to simulate breach and attack scenarios in your environment to help you assess the damage that you may endure in a real attack and verify that your security solutions work as expected.

What I Did

The initial aim of the project was to implement 11 new MITRE ATT&CK techniques to the Monkey to improve its detection capabilties, but over the span of three months, I ended up working on many other things in addition to this. :D

Below is a summary of my contributions to Infection Monkey along with the links to the corresponding pull requests.

New MITRE ATT&CK Techniques

I enhanced the detection capabilities of the Monkey by improving the MITRE ATT&CK coverage. This includes the addition of several new post-breach actions, which are mapped to the MITRE ATT&CK knowledge base in Monkey.

I added twelve new techniques:

  • T1136 — “Create Account” attack technique (#582)
  • T1158 — "Hidden Files and Directories" attack technique (#674)
  • T1156 — ".bash_profile and .bashrc" attack technique (#687)
  • T1504 — "PowerShell Profile" attack technique (#687)
  • T1168 — "Local Job Scheduling" attack technique (#694)
  • T1053 — "Scheduled Task" attack technique (#694)
  • T1154 — "Trap" attack technique (#698)
  • T1166 — “setuid and setgid” attack technique (#713)
  • T1216 — "Signed Script Proxy Execution" technique (#776)
  • T1087 — "Account Discovery" technique (#793)
  • T1099 — “Timestomping” attack technique (#796)
  • T1146 — "Clear Command History" attack technique (#799)

Improved Reporting

The Monkey provides the user with a detailed visualisation of the utilized actions/techniques and their recommended mitigations in the ATT&CK report on the Monkey Island. This ATT&CK report is also more explanatory now. The enhanced reporting can help one better understand and answer questions such as why an attacker would scan a network but leave out some part of the network.

  • ATT&CK report modifications (#717)

General Improvements

In addition, I worked on other general improvements of the tool, such as boosting the Monkey’s performance by making post-breach actions run in parallel with network scanning and reducing MongoDB queries, fixing several bugs, and additional feature improvements.

  • Performance improvements

    • Run post-breach phase in a separate thread (#758)
    • Telemetry modifications for "modify shell startup files" PBA (#731)
  • Bug fixes

    • Fix rendering bug in security report generation due to PBA section (#762)
    • Link ATT&CK techniques of the same PBA in the config (#761)
    • Windows' "modify shell startup files" PBA fix (#757)
    • Preserves ATT&CK config order on clicking 'Reset to defaults' (#753)
    • Make setuid/setgid and trap PBAs not crash on windows (#732)
    • Remove None values from the list of networks to scan (#550)
  • Miscellaneous (feature improvements, documentation updates, refactoring)

    • Update MITRE images in documentation (#783)
    • ATT&CK report message modifications (#717)
    • Use mongo search for T1136's report data (#693)
    • Autoscroll to the last line in the telemetry console (#565)

New Exploit

As my last task for GSoC, I have started working on adding CVE-2020-1938 (Ghostcat) as an exploit. This exploit, although mainly a file inclusion vulnerability, may also allow RCE (remote code execution) in some cases. This is definitely a huge upgrade in difficulty for me, but that's what makes it all the more exciting! ;)

Final Notes

Since my very first interaction, the development team of Infection Monkey has been SUPER encouraging! The last few months have been an amazing experience for me, and I am extremely appreciative of all that I have learnt.

The whole experience has tremendously helped me grow as a developer in its entirety, and I can say with confidence that this has definitely been the most fruitful summer of my life!

For a more detailed version of my work as part of GSoC, check out my blog post on The Honeynet Project's website.

And oh! Don't forget to check out the release notes for the latest version of Infection Monkey (containing many of the above additions) right here!!! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment