Organization: The Honeynet Project
Project site: Infection Monkey
Infection Monkey is an open-source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self-propagate across on-premises/cloud-based data centers and finds their weaknesses, whose results it then reports to a centralized Monkey Island Command and Control server.
In simpler words, Infection Monkey allows you to simulate breach and attack scenarios in your environment to help you assess the damage that you may endure in a real attack and verify that your security solutions work as expected.
The initial aim of the project was to implement 11 new MITRE ATT&CK techniques to the Monkey to improve its detection capabilties, but over the span of three months, I ended up working on many other things in addition to this. :D
Below is a summary of my contributions to Infection Monkey along with the links to the corresponding pull requests.
I enhanced the detection capabilities of the Monkey by improving the MITRE ATT&CK coverage. This includes the addition of several new post-breach actions, which are mapped to the MITRE ATT&CK knowledge base in Monkey.
I added twelve new techniques:
- T1136 — “Create Account” attack technique (#582)
- T1158 — "Hidden Files and Directories" attack technique (#674)
- T1156 — "
.bash_profile and .bashrc
" attack technique (#687) - T1504 — "PowerShell Profile" attack technique (#687)
- T1168 — "Local Job Scheduling" attack technique (#694)
- T1053 — "Scheduled Task" attack technique (#694)
- T1154 — "Trap" attack technique (#698)
- T1166 — “
setuid and setgid
” attack technique (#713) - T1216 — "Signed Script Proxy Execution" technique (#776)
- T1087 — "Account Discovery" technique (#793)
- T1099 — “Timestomping” attack technique (#796)
- T1146 — "Clear Command History" attack technique (#799)
The Monkey provides the user with a detailed visualisation of the utilized actions/techniques and their recommended mitigations in the ATT&CK report on the Monkey Island. This ATT&CK report is also more explanatory now. The enhanced reporting can help one better understand and answer questions such as why an attacker would scan a network but leave out some part of the network.
- ATT&CK report modifications (#717)
In addition, I worked on other general improvements of the tool, such as boosting the Monkey’s performance by making post-breach actions run in parallel with network scanning and reducing MongoDB queries, fixing several bugs, and additional feature improvements.
-
Performance improvements
-
Bug fixes
- Fix rendering bug in security report generation due to PBA section (#762)
- Link ATT&CK techniques of the same PBA in the config (#761)
- Windows' "modify shell startup files" PBA fix (#757)
- Preserves ATT&CK config order on clicking 'Reset to defaults' (#753)
- Make setuid/setgid and trap PBAs not crash on windows (#732)
- Remove
None
values from the list of networks to scan (#550)
-
Miscellaneous (feature improvements, documentation updates, refactoring)
As my last task for GSoC, I have started working on adding CVE-2020-1938 (Ghostcat) as an exploit. This exploit, although mainly a file inclusion vulnerability, may also allow RCE (remote code execution) in some cases. This is definitely a huge upgrade in difficulty for me, but that's what makes it all the more exciting! ;)
Since my very first interaction, the development team of Infection Monkey has been SUPER encouraging! The last few months have been an amazing experience for me, and I am extremely appreciative of all that I have learnt.
The whole experience has tremendously helped me grow as a developer in its entirety, and I can say with confidence that this has definitely been the most fruitful summer of my life!
For a more detailed version of my work as part of GSoC, check out my blog post on The Honeynet Project's website.
And oh! Don't forget to check out the release notes for the latest version of Infection Monkey (containing many of the above additions) right here!!! :)