p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Merge pull request #1074 from guardicore/release/1.10.0 

Release Infection Monkey v1.10.0
This commit is contained in:
Mike Salvatore 2021-04-06 07:00:02 -04:00 committed by GitHub
parent ab01917812 6c034f2662
commit 2d7919c60c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
667 changed files with 14546 additions and 6750 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/ISSUE_TEMPLATE/spike.md vendored Normal file
View File

@ -0,0 +1,24 @@
---
name: "⌛Spike"
about: Create a spike to investigate a cool idea.
title: ''
labels: Spike
assignees: ''
---
# Spike
<!--
A spike is a small chunk of work with the objective of gathering information.
Fill in the details below to set the parameters and expectations for the spike.
-->
## Objective
_A description of this spike's objective._
## Scope
_Add an explanation of how this spike is bounded (e.g. time-boxed or a checklist of tasks or questions that must be answered)._
## Output
_Add a description or list of expected outputs that result from successful completion of this spike. Some examples of outputs are more GitHb issues (e.g. bugs), a trade study, or a report detailing what was learned during the spike._

18
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -1,15 +1,21 @@
# What is this?
# What does this PR do?
Fixes #`put issue number here`.
Add any further explanations here.
## Checklist
## PR Checklist
* [ ] Have you added an explanation of what your changes do and why you'd like to include them?
* [ ] Have you successfully tested your changes locally?
* [ ] Is the TravisCI build passing?
* [ ] Was the documentation framework updated to reflect the changes?
## Proof that it works
If applicable, add screenshots or log transcripts of the feature working
## Testing Checklist
* [ ] Added relevant unit tests?
* [ ] Have you successfully tested your changes locally? Elaborate:
> Tested by {Running the Monkey locally with relevant config/running Island/...}
* [ ] If applicable, add screenshots or log transcripts of the feature working
## Explain Changes
## Changes
Are the commit messages enough? If not, elaborate.

2
.gitignore vendored
View File

@ -91,7 +91,7 @@ profiler_logs/
# vim swap files
*.swp
# Server config might contain credentials. Don't commit by default.
# Server config might contain credentials
/monkey/monkey_island/cc/server_config.json
# Virtualenv

3
.gitmodules vendored
View File

@ -1,7 +1,6 @@
[submodule "monkey/monkey_island/cc/services/attack/attack_data"]
path = monkey/monkey_island/cc/services/attack/attack_data
url = https://github.com/guardicore/cti
[submodule "docs/themes/learn"]
path = docs/themes/learn
url = https://github.com/ShayNehmad/hugo-theme-learn.git
url = https://github.com/guardicode/hugo-theme-learn.git

92
.swm/AzD8XysWg1BBXCjCDkfq.swm Normal file
View File

@ -0,0 +1,92 @@
{
"id": "AzD8XysWg1BBXCjCDkfq",
"name": "Add a new configuration setting to the Agent ⚙",
"dod": "Make the max victim number that Monkey will find before stopping configurable by the user instead of constant.",
"description": "# Make something configurable\n\nIn this unit, you will learn how to add a configuration option to Monkey and how to use it in the Monkey Agent code. \n\n![computer fire](https://media.giphy.com/media/7J4P7cUur2DlErijp3/giphy.gif \"computer fire\")\n\n## Why is this important?\n\nEnabling users to configure the Monkey's behaviour gives them a lot more freedom in how they want to use the Monkey and enables more use cases.\n\n## What is \"Max victims to find\"?\n\nThe Monkey has a function which finds \"victim\" machines on the network for the Monkey to try and exploit. It's called `get_victim_machines`. This function accepts an argument which limits how many machines the Monkey should find.\n\nWe want to make that value editable by the user instead of constant in the code.\n\n## Manual testing\n\n1. After you've performed the required changes, reload the Server and check your value exists in the Internal tab of the config (see image).\n\n![](https://i.imgur.com/e0XAxuV.png)\n\n2. Set the new value to 1, and run Monkey locally (from source). See that the Monkey only scans one machine.",
"summary": "* When changing config schema by adding or deleting keys, you need to update the Blackbox Test configurations as well [here](https://github.com/guardicore/monkey/tree/develop/envs/monkey_zoo/blackbox/island_configs).",
"hunksOrder": [
"monkey/infection_monkey/config.py_0",
"monkey/infection_monkey/monkey.py_0",
"monkey/monkey_island/cc/services/config_schema/internal.py_0"
],
"tests": [],
"hints": [
"Look for `victims_max_exploit` - it's rather similar."
],
"play_mode": "all",
"swimmPatch": {
"monkey/infection_monkey/config.py": {
"diffType": "MODIFIED",
"fileDiffHeader": "diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py\nindex 1fbcb876..67ed19de 100644\n--- a/monkey/infection_monkey/config.py\n+++ b/monkey/infection_monkey/config.py",
"hunks": [
{
"swimmHunkMetadata": {
"hunkComments": []
},
"hunkDiffLines": [
"@@ -131,8 +131,6 @@",
" exploiter_classes = []\r",
" system_info_collector_classes = []\r",
" \r",
"- # how many victims to look for in a single scan iteration\r",
"- victims_max_find = 100\r",
" \r",
" # how many victims to exploit before stopping\r",
" victims_max_exploit = 100\r"
]
}
]
},
"monkey/infection_monkey/monkey.py": {
"diffType": "MODIFIED",
"fileDiffHeader": "diff --git a/monkey/infection_monkey/monkey.py b/monkey/infection_monkey/monkey.py\nindex 444bde45..ff23f671 100644\n--- a/monkey/infection_monkey/monkey.py\n+++ b/monkey/infection_monkey/monkey.py",
"hunks": [
{
"swimmHunkMetadata": {
"hunkComments": []
},
"hunkDiffLines": [
"@@ -159,8 +159,6 @@",
" if not self._keep_running or not WormConfiguration.alive:\r",
" break\r",
" \r",
"- machines = self._network.get_victim_machines(max_find=WormConfiguration.victims_max_find,\r",
"- stop_callback=ControlClient.check_for_stop)\r",
" is_empty = True\r",
" for machine in machines:\r",
" if ControlClient.check_for_stop():\r"
]
}
]
},
"monkey/monkey_island/cc/services/config_schema/internal.py": {
"diffType": "MODIFIED",
"fileDiffHeader": "diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py\nindex bdbae246..d6042d35 100644\n--- a/monkey/monkey_island/cc/services/config_schema/internal.py\n+++ b/monkey/monkey_island/cc/services/config_schema/internal.py",
"hunks": [
{
"swimmHunkMetadata": {
"hunkComments": []
},
"hunkDiffLines": [
"@@ -40,12 +40,6 @@",
" \"title\": \"Monkey\",\r",
" \"type\": \"object\",\r",
" \"properties\": {\r",
"- \"victims_max_find\": {\r",
"- \"title\": \"Max victims to find\",\r",
"- \"type\": \"integer\",\r",
"- \"default\": 100,\r",
"- \"description\": \"Determines the maximum number of machines the monkey is allowed to scan\"\r",
"- },\r",
" \"victims_max_exploit\": {\r",
" \"title\": \"Max victims to exploit\",\r",
" \"type\": \"integer\",\r"
]
}
]
}
},
"app_version": "0.3.5-1",
"file_version": "1.0.4",
"last_commit_sha_for_swimm_patch": "17ee823b086f0b027612e2d1864930d2c5593c3e"
}

54
.swm/JFXftJml8DpmuCPBA9rL.swm Normal file
View File

@ -0,0 +1,54 @@
{
"id": "JFXftJml8DpmuCPBA9rL",
"name": "Add details about your new PBA",
"dod": "You should add your new PBA's details to the configuration.",
"description": "In order to make sure that the new `ScheduleJobs` PBA is shown in the configuration on the Monkey Island, you need to add its details to the configuration file(s). <br><br>\n\nSince this particular PBA is related to the MITRE techniques [T1168](https://attack.mitre.org/techniques/T1168) and [T1053](https://attack.mitre.org/techniques/T1053), make sure to link the PBA with these techniques in the configuration as well. <br><br>\n\nEach part of the configuration has an important role \n- *enum* — contains the relevant PBA's class name(s)\n- *title* — holds the name of the PBA which is displayed in the configuration on the Monkey Island\n- *info* — consists of an elaboration on the PBA's working which is displayed in the configuration on the Monkey Island\n- *attack_techniques* — has the IDs of the MITRE techniques associated with the PBA\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- You should be able to see your new PBA under the \"Monkey\" tab in the configuration, along with its information when you click on it\n- Further, when you enable/disable the associated MITRE techniques under the ATT&CK tab in the configuration, the PBA should also be enabled/disabled\n\n<img src=\"https://i.imgur.com/a5VSkL5.gif\" height=400>",
"summary": "- The PBA details in this file are reflected on the Monkey Island in the PBA configuration.\n- PBAs are also linked to the relevant MITRE techniques in this file, whose results can then be seen in the MITRE ATT&CK report on the Monkey Island.",
"hunksOrder": [
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py_0"
],
"tests": [],
"hints": [
"Have a look at the details of the other techniques."
],
"play_mode": "all",
"swimmPatch": {
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": {
"diffType": "MODIFIED",
"fileDiffHeader": "diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py\nindex f1fe0f6f..b231f96c 100644\n--- a/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py\n+++ b/monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"hunks": [
{
"swimmHunkMetadata": {
"hunkComments": []
},
"hunkDiffLines": [
"@@ -68,16 +68,7 @@",
" \"Removes the file afterwards.\",",
" \"attack_techniques\": [\"T1166\"]",
" },",
"- {",
"+ # Swimmer: ADD DETAILS HERE!",
"- \"type\": \"string\",",
"- \"enum\": [",
"- \"ScheduleJobs\"",
"- ],",
"- \"title\": \"Job scheduling\",",
"- \"safe\": True,",
"- \"info\": \"Attempts to create a scheduled job on the system and remove it.\",",
"- \"attack_techniques\": [\"T1168\", \"T1053\"]",
"- },",
" {",
" \"type\": \"string\",",
" \"enum\": ["
]
}
]
}
},
"app_version": "0.3.5-1",
"file_version": "1.0.4",
"hunksOrder": [
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py_0"
],
"last_commit_sha_for_swimm_patch": "9d9e8168fb2c23367b9947273aa1a041687b3e2e"
}

200
.swm/OwcKMnALpn7tuBaJY1US.swm Normal file
View File

@ -0,0 +1,200 @@
{
"id": "OwcKMnALpn7tuBaJY1US",
"name": "Add a new System Info Collector",
"task": {
"dod": "Add a system info collector that collects the machine hostname.",
"tests": [],
"hints": [
"First thing you should do is take a look at a different collector (like EnvironmentCollector) and 100% understand how it runs, how results are relayed back to the server, and how the server processes the data.",
"Try to run \"socket.getfqdn()\".",
"Take a look at SystemInfoCollector - that's the base class you'll need to implement.",
"Make sure you add the new collector to the configuration in all relevant places, including making it ON by default!"
]
},
"content": [
{
"type": "text",
"text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List, Netstat and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n * The infection map.\n * The security report.\n * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**"
},
{
"type": "snippet",
"path": "monkey/common/common_consts/system_info_collectors_names.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" AWS_COLLECTOR = \"AwsCollector\"",
"*HOSTNAME_COLLECTOR = \"HostnameCollector\"",
"+# SWIMMER: Collector name goes here.",
" ENVIRONMENT_COLLECTOR = \"EnvironmentCollector\"",
" PROCESS_LIST_COLLECTOR = \"ProcessListCollector\"",
" MIMIKATZ_COLLECTOR = \"MimikatzCollector\""
]
},
{
"type": "snippet",
"path": "monkey/infection_monkey/system_info/collectors/hostname_collector.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" import logging",
"*import socket",
"*",
"*from common.common_consts.system_info_collectors_names import HOSTNAME_COLLECTOR",
"*from infection_monkey.system_info.system_info_collector import SystemInfoCollector",
" ",
" logger = logging.getLogger(__name__)",
" ",
"*",
"+# SWIMMER: The collector class goes here.",
"*class HostnameCollector(SystemInfoCollector):",
"* def __init__(self):",
"* super().__init__(name=HOSTNAME_COLLECTOR)",
"*",
"* def collect(self) -> dict:",
"* return {\"hostname\": socket.getfqdn()}"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" from common.common_consts.system_info_collectors_names import (AWS_COLLECTOR, AZURE_CRED_COLLECTOR,\r",
"* ENVIRONMENT_COLLECTOR, HOSTNAME_COLLECTOR,\r",
" MIMIKATZ_COLLECTOR, PROCESS_LIST_COLLECTOR)\r",
" \r",
" SYSTEM_INFO_COLLECTOR_CLASSES = {\r"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/system_info_collector_classes.py",
"comments": [],
"firstLineNumber": 37,
"lines": [
" \"info\": \"If on AWS, collects more information about the AWS instance currently running on.\",",
" \"attack_techniques\": [\"T1082\"]",
" },",
"* {",
"+ # SWIMMER: Collector config goes here. Tip: Hostname collection relates to the T1082 and T1016 techniques.",
"* \"type\": \"string\",",
"* \"enum\": [",
"* HOSTNAME_COLLECTOR",
"* ],",
"* \"title\": \"Hostname collector\",",
"* \"safe\": True,",
"* \"info\": \"Collects machine's hostname.\",",
"* \"attack_techniques\": [\"T1082\", \"T1016\"]",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": ["
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/monkey.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" from common.common_consts.system_info_collectors_names import (AWS_COLLECTOR, AZURE_CRED_COLLECTOR,",
" ENVIRONMENT_COLLECTOR, HOSTNAME_COLLECTOR,",
" MIMIKATZ_COLLECTOR, PROCESS_LIST_COLLECTOR)",
"* HOSTNAME_COLLECTOR,",
" MONKEY = {",
" \"title\": \"Monkey\",",
" \"type\": \"object\","
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/monkey.py",
"comments": [],
"firstLineNumber": 85,
"lines": [
" \"default\": [",
" ENVIRONMENT_COLLECTOR,",
" AWS_COLLECTOR,",
"* HOSTNAME_COLLECTOR,",
" PROCESS_LIST_COLLECTOR,",
" MIMIKATZ_COLLECTOR,",
" AZURE_CRED_COLLECTOR"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/hostname.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" import logging",
" ",
"*from monkey_island.cc.models.monkey import Monkey",
"+# SWIMMER: This will be useful :) monkey_island.cc.models.monkey.Monkey has the useful",
"+# \"get_single_monkey_by_guid\" and \"set_hostname\" methods.",
" ",
" logger = logging.getLogger(__name__)",
" ",
" ",
"*def process_hostname_telemetry(collector_results, monkey_guid):",
"+# SWIMMER: Processing function goes here.",
"* Monkey.get_single_monkey_by_guid(monkey_guid).set_hostname(collector_results[\"hostname\"])"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" import logging\r",
" import typing\r",
" \r",
"*from common.common_consts.system_info_collectors_names import (AWS_COLLECTOR, ENVIRONMENT_COLLECTOR, HOSTNAME_COLLECTOR,\r",
" PROCESS_LIST_COLLECTOR)\r",
" from monkey_island.cc.services.telemetry.processing.system_info_collectors.aws import process_aws_telemetry\r",
" from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import \\\r"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py",
"comments": [],
"firstLineNumber": 14,
"lines": [
" SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS = {",
" AWS_COLLECTOR: [process_aws_telemetry],",
" ENVIRONMENT_COLLECTOR: [process_environment_telemetry],",
"* HOSTNAME_COLLECTOR: [process_hostname_telemetry],",
" PROCESS_LIST_COLLECTOR: [check_antivirus_existence]",
" }",
" "
]
},
{
"type": "snippet",
"lines": [
" from monkey_island.cc.services.telemetry.processing.system_info_collectors.aws import process_aws_telemetry\r",
" from monkey_island.cc.services.telemetry.processing.system_info_collectors.environment import \\\r",
" process_environment_telemetry\r",
"*from monkey_island.cc.services.telemetry.processing.system_info_collectors.hostname import process_hostname_telemetry\r",
" from monkey_island.cc.services.telemetry.zero_trust_checks.antivirus_existence import check_antivirus_existence\r",
" \r",
" logger = logging.getLogger(__name__)\r"
],
"firstLineNumber": 6,
"path": "monkey/monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py",
"comments": []
},
{
"type": "text",
"text": "System info collectors are useful to get more data for various things, such as ZT tests or MITRE techniques. Take a look at some other techniques!"
}
],
"file_version": "2.0.0",
"meta": {
"app_version": "0.3.7-0",
"file_blobs": {}
}
}

51
.swm/VW4rf3AxRslfT7lwaug7.swm Normal file
View File

@ -0,0 +1,51 @@
{
"id": "VW4rf3AxRslfT7lwaug7",
"name": "Implement a new PBA — `ScheduleJobs`",
"dod": "You should implement a new PBA in Monkey which schedules jobs on the machine.",
"description": "You need to implement the `ScheduleJobs` PBA which creates scheduled jobs on the machine. <br><br>\n<img src=\"https://media.giphy.com/media/l0K4mVE5b5WZ1sctW/giphy.gif\" height=175><br><br>\nThe commands that add scheduled jobs for Windows and Linux can be retrieved from `get_commands_to_schedule_jobs` — make sure you understand how to use this function correctly.\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- Make sure the \"Job scheduling\" PBA is enabled in the \"Monkey\" tab in the configuration — for this test, disable network scanning, exploiting, and all other PBAs\n- Run the Monkey\n- Make sure you see the PBA with its results in the Security report as well as in the ATT&CK report under the relevant MITRE technique\n\n<img src=\"https://firebasestorage.googleapis.com/v0/b/swimmio-content/o/repositories%2F6Nlb99NtY5Fc3bSd8suH%2Fimg%2Ff0e53e6c-9dbe-41d8-9454-2b5761c3f53a.png?alt=media&token=21aa4bb8-7ebe-4dab-a739-c77e059144dd\" height=400>\n<br><br>\n<img src=\"https://firebasestorage.googleapis.com/v0/b/swimmio-content/o/repositories%2F6Nlb99NtY5Fc3bSd8suH%2Fimg%2F528389a0-35c8-4380-b6e2-353068ed01e4.png?alt=media&token=08767f55-86e2-4f51-8ecf-13fd6cc25ad5\" height=400>",
"summary": "Many other PBAs are as simple as this one, using shell commands or scripts — see `Timestomping` and `AccountDiscovery`. <br><br>\n\nHowever, for less straightforward ones, you can override functions and implement new classes depending on what is required — see `SignedScriptProxyExecution` and `ModifyShellStartupFiles`.<br><br>\n\nThis PBA, along with all the other PBAs, will run on a system after it has been breached. The purpose of this code is to test whether target systems allow attackers to schedule jobs, which they could use to run malicious code at some specified date and time.",
"hunksOrder": [
"monkey/infection_monkey/post_breach/actions/schedule_jobs.py_0"
],
"tests": [],
"hints": [
"Check out the `Timestomping` PBA to get an idea about the implementation.",
"Don't forget to add code to remove the scheduled jobs!"
],
"play_mode": "all",
"swimmPatch": {
"monkey/infection_monkey/post_breach/actions/schedule_jobs.py": {
"diffType": "MODIFIED",
"fileDiffHeader": "diff --git a/monkey/infection_monkey/post_breach/actions/schedule_jobs.py b/monkey/infection_monkey/post_breach/actions/schedule_jobs.py\nindex f7d8d805..06839463 100644\n--- a/monkey/infection_monkey/post_breach/actions/schedule_jobs.py\n+++ b/monkey/infection_monkey/post_breach/actions/schedule_jobs.py",
"hunks": [
{
"swimmHunkMetadata": {
"hunkComments": []
},
"hunkDiffLines": [
"@@ -10,11 +10,5 @@",
" \"\"\"",
" ",
" def __init__(self):",
"- linux_cmds, windows_cmds = get_commands_to_schedule_jobs()",
"+ pass",
"-",
"+ # Swimmer: IMPLEMENT HERE!",
"- super(ScheduleJobs, self).__init__(name=POST_BREACH_JOB_SCHEDULING,",
"- linux_cmd=' '.join(linux_cmds),",
"- windows_cmd=windows_cmds)",
"- ",
"- def run(self):",
"- super(ScheduleJobs, self).run()"
]
}
]
}
},
"app_version": "0.3.5-1",
"file_version": "1.0.4",
"hunksOrder": [
"monkey/infection_monkey/post_breach/actions/schedule_jobs.py_0"
],
"last_commit_sha_for_swimm_patch": "44fd1ab69cfbab33cec638dcbbaa8831992a9a9f"
}

7
.swm/swimm.json Normal file
View File

@ -0,0 +1,7 @@
{
"repo_id": "6Nlb99NtY5Fc3bSd8suH",
"configuration": {
"cr_prompt_push_solution": true,
"store_solution_upon_done": true
}
}

121
.swm/tbxb2cGgUiJQ8Btma0fp.swm Normal file
View File

@ -0,0 +1,121 @@
{
"id": "tbxb2cGgUiJQ8Btma0fp",
"name": "Add a simple Post Breach action",
"task": {
"dod": "You should add a new PBA to the Monkey which creates a new user on the machine.",
"tests": [],
"hints": [
"See `ScheduleJobs` PBA for an example of a PBA which only uses shell commands.",
"Make sure to add the PBA to the configuration as well.",
"MITRE ATT&CK technique T1136 articulates that adversaries may create an account to maintain access to victim systems, therefore, the BackdoorUser PBA is relevant to it. Make sure to map this PBA to the MITRE ATT&CK configuration and report."
]
},
"content": [
{
"type": "text",
"text": "Read [our documentation about adding a new PBA](https://www.guardicore.com/infectionmonkey/docs/development/adding-post-breach-actions/).\n\nAfter that we want you to add the BackdoorUser PBA. The commands that add users for Win and Linux can be retrieved from `get_commands_to_add_user` - make sure you see how to use this function correctly. \n\nNote that the PBA should impact the T1136 MITRE technique as well! \n\n# Manual test to confirm\n\n1. Run the Monkey Island\n2. Make sure your new PBA is enabled by default in the config - for this test, disable network scanning, exploiting, and all other PBAs\n3. Run Monkey\n4. See the PBA in the security report\n5, See the PBA in the MITRE report in the relevant technique\n"
},
{
"type": "snippet",
"path": "monkey/common/common_consts/post_breach_consts.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
" POST_BREACH_COMMUNICATE_AS_NEW_USER = \"Communicate as new user\"",
"*POST_BREACH_BACKDOOR_USER = \"Backdoor user\"",
"+# Swimmer: PUT THE NEW CONST HERE!",
" POST_BREACH_FILE_EXECUTION = \"File execution\"",
" POST_BREACH_SHELL_STARTUP_FILE_MODIFICATION = \"Modify shell startup file\"",
" POST_BREACH_HIDDEN_FILES = \"Hide files and directories\""
]
},
{
"type": "snippet",
"path": "monkey/infection_monkey/post_breach/actions/add_user.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
"*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER",
"*from infection_monkey.config import WormConfiguration",
" from infection_monkey.post_breach.pba import PBA",
" from infection_monkey.utils.users import get_commands_to_add_user",
" ",
" ",
" class BackdoorUser(PBA):",
" def __init__(self):",
"* linux_cmds, windows_cmds = get_commands_to_add_user(",
"+ pass # Swimmer: Impl here!",
"* WormConfiguration.user_to_add,",
"* WormConfiguration.remote_user_pass)",
"* super(BackdoorUser, self).__init__(",
"* POST_BREACH_BACKDOOR_USER,",
"* linux_cmd=' '.join(linux_cmds),",
"* windows_cmd=windows_cmds)"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
"comments": [],
"firstLineNumber": 1,
"lines": [
"*from common.common_consts.post_breach_consts import POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER\r",
" from monkey_island.cc.services.attack.technique_reports.pba_technique import PostBreachTechnique\r",
" \r",
" __author__ = \"shreyamalviya\"\r"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/attack/technique_reports/T1136.py",
"comments": [],
"firstLineNumber": 9,
"lines": [
" unscanned_msg = \"Monkey didn't try creating a new user on the network's systems.\"",
" scanned_msg = \"Monkey tried creating a new user on the network's systems, but failed.\"",
" used_msg = \"Monkey created a new user on the network's systems.\"",
"* pba_names = [POST_BREACH_BACKDOOR_USER, POST_BREACH_COMMUNICATE_AS_NEW_USER]",
"+ pba_names = [POST_BREACH_COMMUNICATE_AS_NEW_USER]"
]
},
{
"type": "snippet",
"path": "monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py",
"comments": [],
"firstLineNumber": 4,
"lines": [
" \"might do after breaching a new machine. Used in ATT&CK and Zero trust reports.\",",
" \"type\": \"string\",",
" \"anyOf\": [",
"* {",
"+ # Swimmer: Add new PBA here to config!",
"* \"type\": \"string\",",
"* \"enum\": [",
"* \"BackdoorUser\"",
"* ],",
"* \"title\": \"Back door user\",",
"* \"safe\": True,",
"* \"info\": \"Attempts to create a new user on the system and delete it afterwards.\",",
"* \"attack_techniques\": [\"T1136\"]",
"* },",
" {",
" \"type\": \"string\",",
" \"enum\": ["
]
},
{
"type": "text",
"text": "Take a look at the configuration of the island again - see the \"command to run after breach\" option we offer the user? It's implemented exactly like you did right now but each user can do it for themselves. \n\nHowever, what if the PBA needs to do stuff which is more complex than just running a few commands? In that case... "
}
],
"file_version": "2.0.0",
"meta": {
"app_version": "0.3.7-0",
"file_blobs": {
"monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3",
"monkey/infection_monkey/post_breach/actions/add_user.py": "a85845840d9cb37529ad367e159cd9001929e759",
"monkey/monkey_island/cc/services/attack/technique_reports/T1136.py": "d9d86e08ea4aeb0a6bee3f483e4fea50ee6cd200",
"monkey/monkey_island/cc/services/config_schema/definitions/post_breach_actions.py": "857e80da477ab31dbc00ed0a3f1cd49b69b505fa"
}
}
}

44
.swm/xYkxB76pK0peJj2tSxBJ.swm Normal file
View File

@ -0,0 +1,44 @@
{
"id": "xYkxB76pK0peJj2tSxBJ",
"name": "Define what your new PBA does",
"task": {
"dod": "You should add a new PBA const that defines what the PBA does.",
"tests": [],
"hints": [
"See the `Timestomping` PBA. How is the name of the PBA set?"
]
},
"content": [
{
"type": "text",
"text": "The name of your new PBA (which creates scheduled jobs on the machine) will be used in a few places, including the report. <br><br>\nYou should briefly define what your PBA does in a constant variable, such that it can be used by both the Monkey and the Monkey Island.\n\n## Manual test \nOnce you think you're done...\n- Run the Monkey Island\n- Make sure the \"Job scheduling\" PBA is enabled in the \"Monkey\" tab in the configuration — for this test, disable network scanning, exploiting, and all other PBAs\n- Run the Monkey\n- Check the PBA section in the Security report for the name you gave to the new PBA \n\n<img src=\"https://firebasestorage.googleapis.com/v0/b/swimmio-content/o/repositories%2F6Nlb99NtY5Fc3bSd8suH%2Fimg%2Ff0e53e6c-9dbe-41d8-9454-2b5761c3f53a.png?alt=media&token=21aa4bb8-7ebe-4dab-a739-c77e059144dd\" height=400>"
},
{
"firstLineNumber": 5,
"path": "monkey/common/common_consts/post_breach_consts.py",
"type": "snippet",
"lines": [
" POST_BREACH_HIDDEN_FILES = \"Hide files and directories\"",
" POST_BREACH_TRAP_COMMAND = \"Execute command when a particular signal is received\"",
" POST_BREACH_SETUID_SETGID = \"Setuid and Setgid\"",
"*POST_BREACH_JOB_SCHEDULING = \"Schedule jobs\"",
"+# Swimmer: PUT THE NEW CONST HERE!",
" POST_BREACH_TIMESTOMPING = \"Modify files' timestamps\"",
" POST_BREACH_SIGNED_SCRIPT_PROXY_EXEC = \"Signed script proxy execution\"",
" POST_BREACH_ACCOUNT_DISCOVERY = \"Account discovery\""
],
"comments": []
},
{
"type": "text",
"text": "- The name defined here for your PBA can be seen on the Monkey Island in the PBA section in the Security report.\n- The results of each PBA stored in the telemetry are also identified by the string defined here for that PBA."
}
],
"file_version": "2.0.0",
"meta": {
"app_version": "0.3.7-0",
"file_blobs": {
"monkey/common/common_consts/post_breach_consts.py": "25e6679cb1623aae1a732deb05cc011a452743e3"
}
}
}

33
.travis.yml
View File

@ -16,11 +16,15 @@ python:
os: linux
before_install:
# Init server_config.json to default
- cp monkey/monkey_island/cc/server_config.json.default monkey/monkey_island/cc/server_config.json
install:
# Python
- pip freeze
- pip install -r monkey/monkey_island/requirements.txt # for unit tests
- pip install flake8 pytest dlint isort # for next stages
- pip install flake8 pytest pytest-cov dlint isort # for next stages
- pip install coverage # for code coverage
- pip install -r monkey/infection_monkey/requirements.txt # for unit tests
- pip install pipdeptree
@ -48,42 +52,33 @@ install:
# print hugo version (useful for debugging documentation build errors)
- hugo version
before_script:
# Set the server config to `testing`. This is required for for the UTs to pass.
- python monkey/monkey_island/cc/set_server_config.py testing
script:
# Check Python code
## Check syntax errors and fail the build if any are found.
- flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics
- flake8 ./monkey --config=./ci_scripts/flake8_syntax_check.ini
## Warn about linter issues.
### --exit-zero forces Flake8 to use the exit status code 0 even if there are errors, which means this will NOT fail the build.
### --count will print the total number of errors.
### --statistics Count the number of occurrences of each error/warning code and print a report.
### The output is redirected to a file.
- flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics > flake8_warnings.txt
- flake8 ./monkey --exit-zero --config=./ci_scripts/flake8_linter_check.ini > ./ci_scripts/flake8_warnings.txt
## Display the linter issues
- cat flake8_warnings.txt
- cat ./ci_scripts/flake8_warnings.txt
## Make sure that we haven't increased the amount of warnings.
- PYTHON_WARNINGS_AMOUNT_UPPER_LIMIT=120
- if [ $(tail -n 1 flake8_warnings.txt) -gt $PYTHON_WARNINGS_AMOUNT_UPPER_LIMIT ]; then echo "Too many python linter warnings! Failing this build. Lower the amount of linter errors in this and try again. " && exit 1; fi
- PYTHON_WARNINGS_AMOUNT_UPPER_LIMIT=80
- if [ $(tail -n 1 ./ci_scripts/flake8_warnings.txt) -gt $PYTHON_WARNINGS_AMOUNT_UPPER_LIMIT ]; then echo "Too many python linter warnings! Failing this build. Lower the amount of linter errors in this and try again. " && exit 1; fi
## Check import order
- python -m isort . -c -p common -p infection_monkey -p monkey_island
- python -m isort ./monkey --settings-file ./ci_scripts/isort.cfg
## Run unit tests
## Run unit tests and generate coverage data
- cd monkey # This is our source dir
- python -m pytest # Have to use `python -m pytest` instead of `pytest` to add "{$builddir}/monkey/monkey" to sys.path.
## Calculate Code Coverage
- coverage run -m pytest
- python -m pytest --cov=. # Have to use `python -m pytest` instead of `pytest` to add "{$builddir}/monkey/monkey" to sys.path.
# Check JS code. The npm install must happen AFTER the flake8 because the node_modules folder will cause a lot of errors.
- cd monkey_island/cc/ui
- npm ci # See https://docs.npmjs.com/cli/ci.html
- eslint ./src --quiet # Test for errors
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=28
- JS_WARNINGS_AMOUNT_UPPER_LIMIT=7
- eslint ./src --max-warnings $JS_WARNINGS_AMOUNT_UPPER_LIMIT # Test for max warnings
# Build documentation

2
CONTRIBUTING.md
View File

@ -8,7 +8,7 @@ Please try to be as specific as you can about your problem; try to include steps
to reproduce. While we'll try to help anyway, focusing us will help us help you faster.
If you want to contribute new code or fix bugs, please read the following sections. You can also contact us (the
maintainers of this project) at our [Slack channel](https://join.slack.com/t/infectionmonkey/shared_invite/enQtNDU5MjAxMjg1MjU1LTM2ZTg0ZDlmNWNlZjQ5NDI5NTM1NWJlYTRlMGIwY2VmZGMxZDlhMTE2OTYwYmZhZjM1MGZhZjA2ZjI4MzA1NDk).
maintainers of this project) at our [Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU).
## Submitting Issues
* **Do** write a detailed description of your bug and use a descriptive title.

3
LICENSE
View File

@ -5,6 +5,9 @@
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This product includes software developed by SecureAuth Corporation
(https://www.secureauth.com/).
Preamble
The GNU General Public License is a free, copyleft license for

2
ci_scripts/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
./validation-env
./flake8_warnings.txt

8
ci_scripts/README.md Normal file
View File

@ -0,0 +1,8 @@
# About
Run this script to validate your code locally and auto fix/format the problems before pushing.
# Usage
You've got to manually download swimm for swimm validation.
run from `infection_monkey` directory: `powershell .\ci_scripts\validate.ps1`

15
ci_scripts/flake8_linter_check.ini Normal file
View File

@ -0,0 +1,15 @@
[flake8]
## Warn about linter issues.
exclude = ../monkey/monkey_island/cc/ui,
../monkey/common/cloud
show-source = True
max-complexity = 10
max-line-length = 127
### --statistics Count the number of occurrences of each error/warning code and print a report.
statistics = True
### --count will print the total number of errors.
count = True

15
ci_scripts/flake8_syntax_check.ini Normal file
View File

@ -0,0 +1,15 @@
[flake8]
## Check syntax errors and fail the build if any are found.
exclude =
../monkey/monkey_island/cc/ui,
../monkey/common/cloud
select =
E901,
E999,
F821,
F822,
F823
count = True
show-source = True
statistics = True

5
ci_scripts/install_requirements.ps1 Normal file
View File

@ -0,0 +1,5 @@
python -m venv validation-env
.\validation-env\Scripts\activate.ps1
python -m pip install -r .\requirements.txt
npm i -g eslint
deactivate

6
ci_scripts/isort.cfg Normal file
View File

@ -0,0 +1,6 @@
[isort]
# Possible options: https://pycqa.github.io/isort/docs/configuration/options/
known_first_party=common,infection_monkey,monkey_island
skip=monkey/common/cloud/scoutsuite,monkey/monkey_island/cc/services/zero_trust/scoutsuite/data_parsing/rule_path_building/rule_path_creators_list.py,monkey/monkey_island/cc/ui,monkey/common/cloud/scoutsuite

6
ci_scripts/requirements.txt Normal file
View File

@ -0,0 +1,6 @@
flake8
pytest
dlint
isort
coverage
black

39
ci_scripts/validate.ps1 Normal file
View File

@ -0,0 +1,39 @@
.\ci_scripts\validation-env\Scripts\activate.ps1
$ErrorActionPreference = "Stop"
python -m pip install -r monkey/monkey_island/requirements.txt
python -m pip install -r monkey/infection_monkey/requirements.txt
flake8 ./monkey --config ./ci_scripts/flake8_syntax_check.cfg
flake8 ./monkey --exit-zero --config ./ci_scripts/flake8_linter_check.cfg | Out-File -FilePath .\ci_scripts\flake8_warnings.txt
Get-Content -Path .\ci_scripts\flake8_warnings.txt
$PYTHON_WARNINGS_AMOUNT_UPPER_LIMIT = 80
if ((Get-Item -Path .\ci_scripts\flake8_warnings.txt | Get-Content -Tail 1) -gt $PYTHON_WARNINGS_AMOUNT_UPPER_LIMIT){
"Too many python linter warnings! Failing this build. Lower the amount of linter errors in this and try again. "
exit
}
python -m isort ./monkey -c --settings-file ./ci_scripts/isort.cfg
if (!$?) {
$confirmation = Read-Host "Isort found errors. Do you want to attmpt to fix them automatically? (y/n)"
if ($confirmation -eq 'y') {
python -m isort ./monkey --settings-file ./ci_scripts/isort.cfg
}
}
Push-Location -Path ./monkey
python ./monkey_island/cc/environment/set_server_config.py testing
python -m pytest
$lastCommandSucceeded = $?
python ./monkey_island/cc/environment/set_server_config.py restore
Pop-Location
if (!$lastCommandSucceeded) {
exit
}
Push-Location -Path .\monkey\monkey_island\cc\ui
eslint ./src -c ./.eslintrc
Pop-Location
swimm verify
Write-Host "Script finished. Press any key to continue"
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
deactivate

2
codecov.yml Normal file
View File

@ -0,0 +1,2 @@
fixes:
- "::monkey/"

10
deployment_scripts/README.md
View File

@ -39,6 +39,7 @@ Your user must have root permissions; however, don't run the script as root!
```sh
wget https://raw.githubusercontent.com/guardicore/monkey/develop/deployment_scripts/deploy_linux.sh
chmod u+x ./deploy_linux.sh
```
This will download our deploy script. It's a good idea to read it quickly before executing it!
@ -53,3 +54,12 @@ After downloading that script, execute it in a shell. The first argument should
- `./deploy_linux.sh "/home/user/new" "master"` (if directory "new" is not found creates it and clones master branch into it)
You may also pass in an optional third `false` parameter to disable downloading the latest agent binaries.
### Run on Linux
After the `deploy_linux.sh` script completes, you can start the monkey island.
```sh
cd infection_monkey/monkey
./monkey_island/linux/run.sh
```

59
deployment_scripts/config
View File

@ -4,41 +4,42 @@ export MONKEY_FOLDER_NAME="infection_monkey"
# Url of public git repository that contains monkey's source code
export MONKEY_GIT_URL="https://github.com/guardicore/monkey"
get_latest_release() {
curl --silent "https://api.github.com/repos/$1/releases/latest" | # Get latest release from GitHub API
grep '"tag_name":' | # Get tag line
sed -E 's/.*"([^"]+)".*/\1/' # Pluck JSON value
exists() {
command -v "$1" >/dev/null 2>&1
}
MONKEY_LATEST_RELEASE=$(get_latest_release "monkey/guardicore")
get_latest_release() {
RELEASE_URL="https://api.github.com/repos/$1/releases/latest"
if exists wget; then
RELEASE_INFO=$(wget --quiet -O - "$RELEASE_URL") # Get latest release from GitHub API
else
RELEASE_INFO=$(curl --silent "$RELEASE_URL") # Get latest release from GitHub API
fi
echo "$RELEASE_INFO" |
grep '"tag_name":' | # Get tag line
sed -E 's/.*"([^"]+)".*/\1/' # Pluck JSON value
}
MONKEY_LATEST_RELEASE=$(get_latest_release "guardicore/monkey")
# Monkey binaries
LINUX_32_BINARY_NAME="monkey-linux-32"
LINUX_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/monkey-linux-32"
export LINUX_32_BINARY_URL
export LINUX_32_BINARY_NAME
export LINUX_32_BINARY_NAME="monkey-linux-32"
export LINUX_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-linux-32"
LINUX_64_BINARY_NAME="monkey-linux-64"
LINUX_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/monkey-linux-64"
export LINUX_64_BINARY_URL
export LINUX_64_BINARY_NAME
export LINUX_64_BINARY_NAME="monkey-linux-64"
export LINUX_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-linux-64"
WINDOWS_32_BINARY_NAME="monkey-windows-32.exe"
WINDOWS_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/monkey-windows-32.exe"
export WINDOWS_32_BINARY_URL
export WINDOWS_32_BINARY_NAME
export WINDOWS_32_BINARY_NAME="monkey-windows-32.exe"
export WINDOWS_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-windows-32.exe"
WINDOWS_64_BINARY_NAME="monkey-windows-64.exe"
WINDOWS_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/monkey-windows-64.exe"
export WINDOWS_64_BINARY_URL
export WINDOWS_64_BINARY_NAME
export WINDOWS_64_BINARY_NAME="monkey-windows-64.exe"
export WINDOWS_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/monkey-windows-64.exe"
# Other binaries for monkey
TRACEROUTE_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/traceroute64"
export TRACEROUTE_64_BINARY_URL
TRACEROUTE_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/traceroute32"
export TRACEROUTE_32_BINARY_URL
SAMBACRY_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/sc_monkey_runner64.so"
export SAMBACRY_64_BINARY_URL
SAMBACRY_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$($MONKEY_LATEST_RELEASE)/sc_monkey_runner32.so"
export SAMBACRY_32_BINARY_URL
export TRACEROUTE_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/traceroute64"
export TRACEROUTE_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/traceroute32"
export SAMBACRY_64_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/sc_monkey_runner64.so"
export SAMBACRY_32_BINARY_URL="https://github.com/guardicore/monkey/releases/download/$MONKEY_LATEST_RELEASE/sc_monkey_runner32.so"

1
deployment_scripts/config.ps1
View File

@ -30,6 +30,7 @@ $TRACEROUTE_32_BINARY_URL = $MONKEY_DOWNLOAD_URL + "traceroute32"
# Other directories and paths ( most likely you dont need to configure)
$MONKEY_ISLAND_DIR = Join-Path "\monkey" -ChildPath "monkey_island"
$MONKEY_DIR = Join-Path "\monkey" -ChildPath "infection_monkey"
$SCOUTSUITE_DIR = Join-Path "\monkey" "common" "cloud" "scoutsuite"
$SAMBA_BINARIES_DIR = Join-Path -Path $MONKEY_DIR -ChildPath "\bin"
$TEMP_PYTHON_INSTALLER = ".\python.exe"
$TEMP_MONGODB_ZIP = ".\mongodb.zip"

34
deployment_scripts/deploy_linux.sh
View File

@ -10,7 +10,7 @@ is_root() {
has_sudo() {
# 0 true, 1 false
timeout 1 sudo id && return 0 || return 1
return $(sudo -nv > /dev/null 2>&1)
}
handle_error() {
@ -23,6 +23,11 @@ log_message() {
echo -e "DEPLOYMENT SCRIPT: $1"
}
if is_root; then
log_message "Please don't run this script as root"
exit 1
fi
config_branch=${2:-"develop"}
config_url="https://raw.githubusercontent.com/guardicore/monkey/${config_branch}/deployment_scripts/config"
@ -62,14 +67,9 @@ ISLAND_BINARIES_PATH="$ISLAND_PATH/cc/binaries"
INFECTION_MONKEY_DIR="$monkey_home/monkey/infection_monkey"
MONKEY_BIN_DIR="$INFECTION_MONKEY_DIR/bin"
if is_root; then
log_message "Please don't run this script as root"
exit 1
fi
HAS_SUDO=$(has_sudo)
if [[ ! $HAS_SUDO ]]; then
log_message "You need root permissions for some of this script operations. Quiting."
if ! has_sudo; then
log_message "You need root permissions for some of this script operations. \
Run \`sudo -v\`, enter your password, and then re-run this script."
exit 1
fi
@ -110,13 +110,16 @@ if [[ ${python_cmd} == "" ]]; then
log_message "Python 3.7 command not found. Installing python 3.7."
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update
sudo apt install python3.7 python3.7-dev
sudo apt-get install -y python3.7 python3.7-dev
log_message "Python 3.7 is now available with command 'python3.7'."
python_cmd="python3.7"
fi
log_message "Installing build-essential"
sudo apt install build-essential
sudo apt-get install -y build-essential
log_message "Installing python3-distutils"
sudo apt-get install -y python3-distutils
log_message "Installing or updating pip"
# shellcheck disable=SC2086
@ -134,11 +137,10 @@ requirements_island="$ISLAND_PATH/requirements.txt"
${python_cmd} -m pip install -r "${requirements_island}" --user --upgrade || handle_error
log_message "Installing monkey requirements"
sudo apt-get install libffi-dev upx libssl-dev libc++1
sudo apt-get install -y libffi-dev upx libssl-dev libc++1
requirements_monkey="$INFECTION_MONKEY_DIR/requirements.txt"
${python_cmd} -m pip install -r "${requirements_monkey}" --user --upgrade || handle_error
agents=${3:-true}
# Download binaries
if [ "$agents" = true ] ; then
@ -162,15 +164,19 @@ chmod a+x "$ISLAND_BINARIES_PATH/$LINUX_64_BINARY_NAME"
# If a user haven't installed mongo manually check if we can install it with our script
if ! exists mongod; then
log_message "Installing libcurl4"
sudo apt-get install -y libcurl4
log_message "Installing MongoDB"
"${ISLAND_PATH}"/linux/install_mongo.sh ${MONGO_PATH} || handle_error
fi
log_message "Installing openssl"
sudo apt-get install openssl
sudo apt-get install -y openssl
# Generate SSL certificate
log_message "Generating certificate"
chmod u+x "${ISLAND_PATH}"/linux/create_certificate.sh
"${ISLAND_PATH}"/linux/create_certificate.sh ${ISLAND_PATH}/cc
# Update node

3
deployment_scripts/deploy_windows.ps1
View File

@ -115,6 +115,9 @@ function Deploy-Windows([String] $monkey_home = (Get-Item -Path ".\").FullName,
"Installing python packages for monkey"
$monkeyRequirements = Join-Path -Path $monkey_home -ChildPath $MONKEY_DIR | Join-Path -ChildPath "\requirements.txt"
& python -m pip install --user -r $monkeyRequirements
"Installing python packages for ScoutSuite"
$scoutsuiteRequirements = Join-Path -Path $monkey_home -ChildPath $SCOUTSUITE_DIR | Join-Path -ChildPath "\requirements.txt"
& python -m pip install --user -r $scoutsuiteRequirements
$user_python_dir = cmd.exe /c 'py -m site --user-site'
$user_python_dir = Join-Path (Split-Path $user_python_dir) -ChildPath "\Scripts"

56
docs/content/FAQ/_index.md
View File

@ -5,10 +5,11 @@ draft: false
pre: "<i class='fas fa-question'></i> "
---
Here are some of the most common questions we receive about the Infection Monkey. If the answer youre looking for isnt here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey).
Here are some of the most common questions we receive about the Infection Monkey. If the answer you're looking for isn't here, talk with us [on our Slack channel](https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU), email us at [support@infectionmonkey.com](mailto:support@infectionmonkey.com) or [open an issue on GitHub](https://github.com/guardicore/monkey).
- [Where can I get the latest Monkey version? 📰](#where-can-i-get-the-latest-monkey-version)
- [Where can I get the latest Monkey version?](#where-can-i-get-the-latest-monkey-version)
- [How long does a single Monkey run for? Is there a time limit?](#how-long-does-a-single-monkey-run-for-is-there-a-time-limit)
- [How to reset the password?](#how-to-reset-the-password)
- [Should I run the Monkey continuously?](#should-i-run-the-monkey-continuously)
- [Which queries does Monkey perform to the Internet exactly?](#which-queries-does-monkey-perform-to-the-internet-exactly)
- [Where can I find the log files of the Monkey and the Monkey Island, and how can I read them?](#where-can-i-find-the-log-files-of-the-monkey-and-the-monkey-island-and-how-can-i-read-them)
@ -16,16 +17,16 @@ Here are some of the most common questions we receive about the Infection Monkey
- [Monkey agent](#monkey-agent)
- [Running the Monkey in a production environment](#running-the-monkey-in-a-production-environment)
- [How much of a footprint does the Monkey leave?](#how-much-of-a-footprint-does-the-monkey-leave)
- [Whats the Monkeys impact on system resources usage?](#whats-the-monkeys-impact-on-system-resources-usage)
- [Is it safe to use real passwords and usernames in the Monkeys configuration?](#is-it-safe-to-use-real-passwords-and-usernames-in-the-monkeys-configuration)
- [What's the Monkey's impact on system resources usage?](#whats-the-monkeys-impact-on-system-resources-usage)
- [Is it safe to use real passwords and usernames in the Monkey's configuration?](#is-it-safe-to-use-real-passwords-and-usernames-in-the-monkeys-configuration)
- [How do you store sensitive information on Monkey Island?](#how-do-you-store-sensitive-information-on-monkey-island)
- [How stable are the exploitations used by the Monkey? Will the Monkey crash my systems with its exploits?](#how-stable-are-the-exploitations-used-by-the-monkey-will-the-monkey-crash-my-systems-with-its-exploits)
- [After Ive set up Monkey Island, how can I execute the Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-monkey)
- [After I've set up Monkey Island, how can I execute the Monkey?](#after-ive-set-up-monkey-island-how-can-i-execute-the-monkey)
- [How can I make the monkey propagate “deeper” into the network?](#how-can-i-make-the-monkey-propagate-deeper-into-the-network)
- [The report returns a blank screen](#the-report-returns-a-blank-screen)
- [How can I get involved with the project? 👩‍💻👨‍💻](#how-can-i-get-involved-with-the-project)
- [How can I get involved with the project?](#how-can-i-get-involved-with-the-project)
## Where can I get the latest Monkey version? 📰
## Where can I get the latest Monkey version?
For the latest **stable** release for users, visit [our downloads page](https://www.guardicore.com/infectionmonkey/#download). **This is the recommended and supported version**!
@ -35,6 +36,23 @@ If you want to see what has changed between versions, refer to the [releases pag
The Monkey shuts off either when it can't find new victims, or when it has exceeded the quota of victims as defined in the configuration.
## How to reset the password?
On your first access of Monkey Island server, you'll be prompted to create an account. If you forgot the credentials you
entered or just want to change them, you need to manually alter the `server_config.json` file. On Linux, this file is
located on `/var/monkey/monkey_island/cc/server_config.json`. On windows, it's based on your install directory (typically
`C:\Program Files\Guardicore\Monkey Island\monkey_island\cc\server_config.json`). Reset the contents of this file
leaving the **deployment option unchanged** (it might be "vmware" or "linux" in your case):
```json
{
"server_config": "password",
"deployment": "windows"
}
```
Then reset the Island process (`sudo systemctl restart monkey-island.service` for linux, restart program for windows).
Finally, go to the Island's URL and create a new account.
## Should I run the Monkey continuously?
Yes! This will allow you to verify that no new security issues were identified by the Monkey since the last time you ran it.
@ -59,7 +77,7 @@ The Monkey performs queries out to the Internet on two separate occasions:
### Monkey Island
The Monkey Islands log file can be downloaded directly from the UI. Click the “log” section and choose “Download Monkey Island internal logfile”, like so:
The Monkey Island's log file can be downloaded directly from the UI. Click the “log” section and choose “Download Monkey Island internal logfile”, like so:
![How to download Monkey Island internal log file](/images/faq/download_log_monkey_island.png "How to download Monkey Island internal log file")
@ -80,7 +98,7 @@ The Monkey log file can be found in the following paths on machines where it was
- Path on Linux: `/tmp/user-1563`
- Path on Windows: `%temp%\\~df1563.tmp`
The logs contain information about the internals of the Monkeys execution. The log will contain entries like these ones for example:
The logs contain information about the internals of the Monkey's execution. The log will contain entries like these ones for example:
```log
2019-07-22 19:16:44,228 [77598:140654230214464:INFO] main.main.116: >>>>>>>>>> Initializing monkey (InfectionMonkey): PID 77598 <<<<<<<<<<
@ -106,13 +124,13 @@ The Monkey leaves hardly any trace on the target system. It will leave:
- Path on Linux: `/tmp/user-1563`
- Path on Windows: `%temp%\\~df1563.tmp`
### Whats the Monkeys impact on system resources usage?
### What's the Monkey's impact on system resources usage?
The Infection Monkey uses less than single-digit percent of CPU time and very low RAM usage. For example, on a single-core Windows Server machine, the Monkey consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically.
If you do experience any performance issues please let us know on [our Slack channel](https://infectionmonkey.slack.com/) or via [opening an issue on GitHub](https://github.com/guardicore/monkey).
### Is it safe to use real passwords and usernames in the Monkeys configuration?
### Is it safe to use real passwords and usernames in the Monkey's configuration?
Absolutely! User credentials are stored encrypted in the Monkey Island server. This information is then accessible only to users that have access to the Island.
@ -120,7 +138,7 @@ We advise to limit access to the Monkey Island server by following our [password
### How do you store sensitive information on Monkey Island?
Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey Islands database in an encrypted fashion. This data is transmitted to the Infection Monkeys in an encrypted fashion (HTTPS) and is not stored locally on the victim machines.
Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey Island's database in an encrypted fashion. This data is transmitted to the Infection Monkeys in an encrypted fashion (HTTPS) and is not stored locally on the victim machines.
When you reset the Monkey Island configuration, the Monkey Island wipes the information.
@ -128,9 +146,9 @@ When you reset the Monkey Island configuration, the Monkey Island wipes the info
The Monkey does not use any exploits or attacks that may impact the victim system.
This means we avoid using some very strong (and famous) exploits such as [EternalBlue](https://www.guardicore.com/2017/05/detecting-mitigating-wannacry-copycat-attacks-using-guardicore-centra-platform/). This exploit was used in WannaCry and NotPetya with huge impact. But because it may crash a production system, we arent using it.
This means we avoid using some very strong (and famous) exploits such as [EternalBlue](https://www.guardicore.com/2017/05/detecting-mitigating-wannacry-copycat-attacks-using-guardicore-centra-platform/). This exploit was used in WannaCry and NotPetya with huge impact. But because it may crash a production system, we aren't using it.
## After Ive set up Monkey Island, how can I execute the Monkey?
## After I've set up Monkey Island, how can I execute the Monkey?
See our detailed [getting started](../content/usage/getting-started) guide.
@ -149,6 +167,14 @@ This is sometimes caused when Monkey Island is installed with an old version of
- **Linux**: First, uninstall the current version with `sudo apt uninstall mongodb` and then install the latest version using the [official mongodb manual](https://docs.mongodb.com/manual/administration/install-community/).
- **Windows**: First, remove the MongoDB binaries from the `monkey\monkey_island\bin\mongodb` folder. Download and install the latest version of mongodb using the [official mongodb manual](https://docs.mongodb.com/manual/administration/install-community/). After installation is complete, copy the files from the `C:\Program Files\MongoDB\Server\4.2\bin` folder to the `monkey\monkey_island\bin\mongodb folder`. Try to run the Island again and everything should work.
## How can I get involved with the project? 👩‍💻👨‍💻
## How can I get involved with the project?
The Monkey is an open-source project, and we weclome contributions and contributors. Check out the [contribution documentation](../development) for more information.
## About the project 🐵
### How did you come up with the Infection Monkey?
Oddly enough, the idea of proactively breaking the network to test its survival wasn't born in the security industry. In 2011, the streaming giant Netflix released Chaos Monkey, a tool that was designed to randomly disable the company's production servers to verify they could survive network failures without any customer impact. Netflix's Chaos Monkey became a popular network resilience tool, breaking the network in a variety of failure modes, including connectivity issues, invalid SSL certificates and randomly deleting VMs.
Inspired by this concept, Guardicore Labs developed its own attack simulator - Infection Monkey - to run non-intrusively within existing production environments. The idea was to test the resiliency of modern data centers against attack and give security teams the insights they need to make informed decisions and enforce tighter security policies. Since its launch in 2017 (?) the Infection Monkey has been used by hundreds of information technology teams from across the world to find weaknesses in their on-premises and cloud-based data centers.

20
docs/content/development/_index.md
View File

@ -13,31 +13,31 @@ Want to help secure networks? That's great!
## How should I start?
Here's a few short links to help you get started.
Here are a few short links to help you get started:
* [Getting up and running](../setup-development-environment) - To help you get a working development setup.
* [Contributing guidelines](https://github.com/guardicore/monkey/blob/master/CONTRIBUTING.md) - Some guidelines to help you submit.
* [Getting up and running](./setup-development-environment) - These instructions will help you get a working development setup.
* [Contributing guidelines](https://github.com/guardicore/monkey/blob/master/CONTRIBUTING.md) - These guidelines will help you submit.
## What are we looking for?
You can take a look at [our roadmap](https://github.com/guardicore/monkey/projects/5) to see what issues we're thinking about doing soon. We are looking for:
You can take a look at [our roadmap](https://github.com/guardicore/monkey/projects/5) to see what issues we're thinking about tackling soon. We are always looking for:
### More exploits! 💥
The best way to find weak spots in the network is by attacking it. The [Exploit template](https://github.com/guardicore/monkey/wiki/Exploit-templates) page will help you add exploits.
The best way to find weak spots in a network is by attacking it. The [exploit template](https://github.com/guardicore/monkey/wiki/Exploit-templates) page will help you add exploits.
It's important to note that the Infection Monkey must be perfectly reliable otherwise no one will use it, so avoid memory corruption exploits _unless they're rock solid_ and focus on the logical vulns such as Shellshock.
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Shellshock.
### Analysis plugins 🔬
Successfully attacking every server in the network is no good unless the Monkey can explain how to prevent the attack. Whether it's detecting when the Monkey is using stolen credentials or when the Monkey can escape locked down networks, this is the part that actually helps secure different parts.
Successfully attacking every server in the network has little value if the Infection Monkey can't provide recommendations for reducing future risk. Whether it's explaining how the Infection Monkey used stolen credentials or escaped from locked-down networks, analysis is what helps users translate the Infection Monkey's activities into actionable next steps for improving security.
### Better code 💪
We always want to improve the core Monkey code, to make it smaller, faster and more reliable. If you have an idea of how to do it, or just want to modularise/improve test coverage for the code, do share!
We always want to improve the core Infection Monkey code to make it smaller, faster and more reliable. Please share if you have an idea that will help us meet these goals or modularize/improve test coverage.
### Documentation 📚
Every project requires better documentation. The Monkey is no different, so feel free to open PRs with suggestions, improvements or issues asking us to document different parts of the Monkey.
Every project requires excellent documentation. The Infection Monkey is no different. Please feel free to open pull requests with suggestions, improvements or issues and asking us to document various parts of the Monkey.
The Monkey's documentation is stored in the `/docs/content` directory.
The Infection Monkey's documentation is stored in the `/docs/content` directory.

16
docs/content/development/add-zero-trust-test.md
View File

@ -5,22 +5,22 @@ draft: false
weight: 100
---
## How to add a new Zero Trust test to the Monkey?
## How do I add a new Zero Trust test to the Monkey?
Assuming the Monkey agent is already sending the relevant telemetry, you'll need to add the test in two places.
Assuming the Infection Monkey agent is already sending the relevant telemetry, you'll need to add the test in two places.
### `zero_trust_consts.py`
In the file `/monkey/common/data/zero_trust_consts.py`,
In the file `/monkey/common/data/zero_trust_consts.py`:
1. Add the test name to the TESTS set
2. Add a relevant recommendation if exists
3. Add the test to the TESTS_MAP dict. Make sure that all statuses (except `STATUS_UNEXECUTED`) have finding explanations.
2. Add a relevant recommendation if it exists
3. Add the test to the TESTS_MAP dict. Ensure that all statuses (except `STATUS_UNEXECUTED`) have finding explanations.
### `telemetry/processing.py`
Find the relevant telemetry type you wish to test the finding in. This can be found in `/monkey/monkey_island/cc/services/telemetry/processing.py`. In the relevant `process_*_telemetry` function, add your Zero Trust testing code. Please put the zero trust tests under the `/monkey/monkey_island/cc/services/telemetry/zero_trust_tests` directory. There you can find examples of existing tests as well, so you'll know pretty much what you need to write.
Find the relevant telemetry type you wish to test the finding in next. These can be found in `/monkey/monkey_island/cc/services/telemetry/processing.py`. In the relevant `process_*_telemetry` function, add your Zero Trust testing code. Please put the Zero Trust tests under the `/monkey/monkey_island/cc/services/telemetry/zero_trust_tests` directory. There you can also find examples of existing tests as well, so you'll have a reference for what you need to write.
## How to test the new Zero Trust test I've implemented?
## How do I test the new Zero Trust test I've implemented?
Test ALL possible finding statuses you've defined in a fake network. Observe the events as well and see they were formatted correctly. If there's an algorithmic part to your Zero Trust test, please cover it using a Unit Test.
Test ALL possible finding statuses you've defined in a fake network. Ensure the events were formatted correctly by observing them. If there's an algorithmic part to your Zero Trust test, please cover it using a Unit Test.

14
docs/content/development/adding-post-breach-actions.md
View File

@ -6,17 +6,17 @@ tags: ["contribute"]
weight: 90
---
## What's this?
## What does this guide cover?
This guide will show you how to create a new _Post Breach action_ for the Infection Monkey. _Post Breach actions_ are "extra" actions that the Monkey can perform on the victim machines after it propagated to them.
This guide will show you how to create a new _post-breach action_ (PBA) for the Infection Monkey. PBA are "extra" actions that the Infection Monkey can perform on victim machines after propagating to them.
## Do I need a new PBA?
If all you want is to execute shell commands, then there's no need to add a new PBA - just configure the required commands in the Monkey Island configuration! If you think that those specific commands have reuse value in all deployments and not just your own, you can add a new PBA. If you need to run actual Python code, you must add a new PBA.
If all you want to do is execute shell commands, then there's no need to add a new PBA - just configure the required commands in the Monkey Island configuration! If you think that those specific commands have reuse value in other deployments besides your own, you can add a new PBA. Additionally, if you need to run actual Python code, you must add a new PBA.
## How to add a new PBA
### Monkey side
### From the Infection Monkey Side
#### Framework
@ -43,7 +43,7 @@ If your PBA consists only of simple shell commands, you can reuse the generic PB
Otherwise, you'll need to override the `run` method with your own implementation. See the `communicate_as_new_user.py` PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.
### Island side
### From the Monkey Island Side
#### Configuration
@ -67,10 +67,10 @@ You'll need to add your PBA to the `config_schema.py` file, under `post_breach_a
},
```
Now you can choose your PBA when configuring the Monkey on the Monkey island:
Now you can choose your PBA when configuring the Infection Monkey on the Monkey island:
![PBA in configuration](https://i.imgur.com/9PrcWr0.png)
#### Telemetry processing
If you wish to process your Post Breach action telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS` which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can look at the `process_communicate_as_new_user_telemetry` method as an example.
If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the `POST_BREACH_TELEMETRY_PROCESSING_FUNCS`, which can be found at `monkey/monkey_island/cc/services/telemetry/processing/post_breach.py`. You can reference the `process_communicate_as_new_user_telemetry` method as an example.

26
docs/content/development/adding-system-info-collectors.md
View File

@ -6,21 +6,21 @@ tags: ["contribute"]
weight: 80
---
## What's this?
## What does this guide cover?
This guide will show you how to create a new _System Info Collector_ for the Infection Monkey. _System Info Collectors_ are modules which each Monkey runs, that collect specific information and sends it back to the Island as part of the System Info Telemetry.
This guide will show you how to create a new _System Info Collector_ for the Infection Monkey. System Info Collectors are modules that each of the Infection Monkey agents runs that collect specific information and send it back to the Monkey Island as part of the System Info Telemetry.
### Do I need a new System Info Controller?
### Do I need a new System Info Collector?
If all you want is to execute a shell command, then there's no need to add a new collector - just configure the required commands in the Monkey Island configuration in the PBA section! Also, if there is a relevant collector and you only need to add more information to it, expand the existing one. Otherwise, you must add a new Collector.
If all you want to do is execute a shell command, then there's no need to add a new System Info Collector - just configure the required commands in the Monkey Island's post-breach action (PBA) section! Also, if there is a relevant System Info Collector and you only need to add more information to it, simply expand the existing one. Otherwise, you must add a new System Info Collector.
## How to add a new System Info Collector
### Monkey side
### From the Monkey Island Side
#### Framework
1. Create your new collector in the following directory: `monkey/infection_monkey/system_info/collectors` by first creating a new file with the name of your collector.
1. Create your new System Info Collector in the following directory: `monkey/infection_monkey/system_info/collectors` by first creating a new file with the name of your System Info Collector.
2. In that file, create a class that inherits from the `SystemInfoCollector` class:
```py
@ -29,7 +29,7 @@ from infection_monkey.system_info.system_info_collector import SystemInfoCollect
class MyNewCollector(SystemInfoCollector):
```
3. Set the Collector name in the constructor, like so:
3. Set the System Info Collector name in the constructor, like so:
```py
class MyNewCollector(SystemInfoCollector):
@ -39,15 +39,15 @@ class MyNewCollector(SystemInfoCollector):
#### Implementation
Override the `collect` method with your own implementation. See the `EnvironmentCollector.py` Collector for reference. You can log during collection as well.
Override the `collect` method with your own implementation. See the `EnvironmentCollector.py` System Info Collector for reference. You can log during collection as well.
### Island side
### From the Monkey Island Side
#### Island Configuration
#### Configuration
##### Definitions
You'll need to add your Collector to the `monkey_island/cc/services/config_schema.py` file, under `definitions/system_info_collectors_classes/anyOf`, like so:
You'll need to add your Sytem Info Collector to the `monkey_island/cc/services/config_schema.py` file, under `definitions/system_info_collectors_classes/anyOf`, like so:
```json
"system_info_collectors_classes": {
@ -76,7 +76,7 @@ You'll need to add your Collector to the `monkey_island/cc/services/config_schem
##### properties
Also, you can add the Collector to be used by default by adding it to the `default` key under `properties/monkey/system_info/system_info_collectors_classes`:
Also, you can add the System Info Collector to be used by default by adding it to the `default` key under `properties/monkey/system_info/system_info_collectors_classes`:
```json
"system_info_collectors_classes": {
@ -96,6 +96,6 @@ Also, you can add the Collector to be used by default by adding it to the `defau
#### Telemetry processing
1. Add a process function under `monkey_island/cc/telemetry/processing/system_info_collectors/{DATA_NAME_HERE}.py`. The function should parse the collector's result. See `processing/system_info_collectors/environment.py` for example.
1. Add a process function under `monkey_island/cc/telemetry/processing/system_info_collectors/{DATA_NAME_HERE}.py`. The function should parse the System Info Collector's result. See `processing/system_info_collectors/environment.py` for example.
2. Add that function to `SYSTEM_INFO_COLLECTOR_TO_TELEMETRY_PROCESSORS` under `monkey_island/cc/services/telemetry/processing/system_info_collectors/system_info_telemetry_dispatcher.py`.

36
docs/content/development/contribute-documentation.md
View File

@ -6,11 +6,11 @@ weight: 1
tags: ["contribute"]
---
The `/docs` folder contains the Monkey Documentation site.
The `/docs` folder contains the Infection Monkey Documentation site.
The site is based on [Hugo](https://gohugo.io/) and the [learn](https://themes.gohugo.io/theme/hugo-theme-learn/en) theme.
- [Directory Structure](#directory-structure)
- [Directory structure](#directory-structure)
- [content](#content)
- [static](#static)
- [config](#config)
@ -30,35 +30,35 @@ The site is based on [Hugo](https://gohugo.io/) and the [learn](https://themes.g
- [`failed to extract shortcode: template for shortcode "children" not found` or theme doesn't seem right?](#failed-to-extract-shortcode-template-for-shortcode-children-not-found-or-theme-doesnt-seem-right)
- [CSS is missing](#css-is-missing)
## Directory Structure
## Directory structure
By order of importance:
### content
### Content
The most important directory is `/content`: This is the directory which contains the content files. [Read this to understand how pages are organized in that folder](https://themes.gohugo.io//theme/hugo-theme-learn/en/cont/pages/).
The most important directory is `/content`. This is the directory which contains the content files. [Read this to understand how pages are organized in that folder](https://themes.gohugo.io//theme/hugo-theme-learn/en/cont/pages/).
### static
### Static
In this directory you should place images, `css` files, `js` files, and other static content the site should serve. To access that static content in a page, use something similar to this:
In this directory you should place images, `css` files, `js` files and other static content the site should serve. To access that static content in a page, use something similar to this:
```markdown
![AWS instance ID](../../images/setup/aws/aws-instance-id.png "AWS instance ID")
```
### config
### Config
This folder controls a lot of parameters regarding the site generation.
This folder controls many of the parameters regarding the site generation.
### themes
### Themes
This is the theme we're using. It's a submodule (so to get it you need to run `git submodule update`). It's our own fork of the [learn](https://themes.gohugo.io/hugo-theme-learn/) theme. If we want to make changes to the theme itself or pull updates from the upstream you'll do it here.
This is the theme we're using. It's a submodule (to get it you need to run `git submodule update`). It's our own fork of the [learn](https://themes.gohugo.io/hugo-theme-learn/) theme. If you want to make changes to the theme itself, or pull updates from the upstream, you'll do it here.
### layouts and archtypes
### Layouts and archtypes
This directory includes custom [HTML partials](https://gohugo.io/templates/partials/), custom [shortcodes](https://gohugo.io/content-management/shortcodes/), and content templates. Best to not mess with the existing stuff here too much, but rather add new things.
This directory includes custom [HTML partials](https://gohugo.io/templates/partials/), custom [shortcodes](https://gohugo.io/content-management/shortcodes/) and content templates. It's best not to mess with the existing stuff here too much, but rather add new things.
### public and resources
### Public and resources
These are the build output of `hugo` and should never be `commit`-ed to git.
@ -66,13 +66,13 @@ These are the build output of `hugo` and should never be `commit`-ed to git.
### Requirements
You have to [install `hugo`](https://gohugo.io/getting-started/installing/), a text editor that's good for markdown (`vscode` and `vim` are good options), and `git`.
You'll have to [install `hugo`](https://gohugo.io/getting-started/installing/), a text editor that's good for markdown (`vscode` and `vim` are good options) and `git`.
### Adding and editing content
#### Add a new page
Run `hugo new folder/page.md`. Optionally add `--kind chapter` if this is a new chapter page. For example, `hugo new usage/getting-started.md` created the Getting Started page.
Run `hugo new folder/page.md`. Optionally add `--kind chapter` if creating a new chapter page. For example, `hugo new usage/getting-started.md` created the Getting Started page.
#### Editing an existing page
@ -92,11 +92,11 @@ Run `hugo --environment staging` or `hugo --environment production`. This will c
##### `Error: Unable to locate config file or config directory. Perhaps you need to create a new site.`
What is your working directory? It should be `monkey/docs`.
Did you confirm your working directory? It should be `monkey/docs`.
##### `failed to extract shortcode: template for shortcode "children" not found` or theme doesn't seem right?
Have you ran `git submodule update`?
Have you run `git submodule update`?
##### CSS is missing

10
docs/content/development/setup-development-environment.md
View File

@ -8,17 +8,17 @@ tags: ["contribute"]
## Deployment scripts
To setup development environment using scripts look at the readme under [`/deployment_scripts`](https://github.com/guardicore/monkey/blob/develop/deployment_scripts). If you want to setup it manually or if run into some problems, read further below.
To set up a development environment using scripts, look at the readme under [`/deployment_scripts`](https://github.com/guardicore/monkey/blob/develop/deployment_scripts). If you want to set it up manually or run into problems, keep reading.
## Agent
The Agent, (what we refer as the Monkey), is a single Python project under the [`infection_monkey`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey) folder. Built for Python 3.7, you can get it up and running by setting up a [virtual environment](https://docs.python-guide.org/dev/virtualenvs/) and inside it installing the requirements listed under [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/requirements.txt).
The agent (which we sometimes refer to as the Infection Monkey) is a single Python project under the [`infection_monkey`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey) folder. The Infection Monkey agent was built for Python 3.7. You can get it up and running by setting up a [virtual environment](https://docs.python-guide.org/dev/virtualenvs/) and installing the requirements listed in the [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/requirements.txt) inside it.
In order to compile the Monkey for distribution by the Monkey Island, you need to run the instructions listed in [`readme.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/readme.txt) on each supported environment.
In order to compile the Infection Monkey for distribution by the Monkey Island, you'll need to run the instructions listed in the [`readme.txt`](https://github.com/guardicore/monkey/blob/master/monkey/infection_monkey/readme.txt) on each supported environment.
This means setting up an environment with Linux 32/64-bit with Python installed and a Windows 64-bit machine with developer tools + 32/64-bit Python versions.
This means setting up an environment with Linux 32/64-bit with Python installed and a Windows 64-bit machine with developer tools, along with 32/64-bit Python versions.
## Monkey Island
## The Monkey Island
The Monkey Island is a Python backend React frontend project. Similar to the agent, the backend's requirements are listed in the matching [`requirements.txt`](https://github.com/guardicore/monkey/blob/master/monkey/monkey_island/requirements.txt).

29
docs/content/development/swimm.md Normal file
View File

@ -0,0 +1,29 @@
---
title: "Swimm tutorials"
date: 2020-09-02T22:14:58+03:00
draft: false
weight: 3
tags: ["contribute"]
---
The Infection Monkey has development tutorials that use [`swimm.io`](https://swimm.io/) to help teach new developers how to perform common code tasks in the Infection Monkey codebase and accelerate the ramp-up process. The tutorials include adding new configuration values, new system info collectors and more.
![swimm logo](https://swimm.io/img/squarelogo.png "swimm logo")
# How to start learning
First, [sign up for swimm's beta](https://swimm.io/sign-beta). `swimm` is free for open-source projects, but as they're still in beta you'll need to sign up in order to download it.
After you've downloaded and installed `swimm`, open a shell in the Infeciton Monkey repo folder and run:
```shell script
swimm start
```
A local web server with the currently available tutorials should show up, and will look something like this:
![swimm server](https://i.imgur.com/NFBH4Vr.png "swimm server")
Choose which playlist you'd like to learn, click on it and follow the instructions.
🏊‍♀️🏊‍♂️

35
docs/content/reference/exploiters/Drupal.md Normal file
View File

@ -0,0 +1,35 @@
---
title: "Drupal"
date: 2020-09-01T08:42:46+03:00
draft: false
tags: ["exploit", "linux", "windows"]
---
The Drupal exploiter exploits [CVE-2019-6340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340)
on a vulnerable Drupal server.
### Description
Some field types do not properly sanitize data from non-form sources in certain versions
of Drupal server.
This can lead to arbitrary PHP code execution in some cases.
### Affected Versions
* Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10.
One of the following conditions must hold:
* The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH
or POST requests; OR
* The site has another web services module enabled, like JSON:API in
Drupal 8, or Services or RESTful Web Services in Drupal 7.
### Notes
* The Infection Monkey exploiter implementation is based on an open-source
[Python implementation](https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88/f9f6a5bb6605745e292bee3a4079f261d891738a)
of the exploit by @leonjza.
* For the full attack to work, more than one vulnerable URL is required.

74
docs/content/reference/exploiters/Zerologon.md Normal file
View File

@ -0,0 +1,74 @@
---
title: "Zerologon"
date: 2021-01-31T19:46:12+05:30
draft: false
tags: ["exploit", "windows"]
---
The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
### Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
### A note on safety
This exploiter is not safe for production or other sensitive environments. It
is, therefore, **not** enabled by default.
During successful exploitation, the Zerologon exploiter:
* will temporarily change the target domain controller's password.
* may break the target domain controller's communication with other systems in the network, affecting functionality.
* may change the administrator's password.
* will *attempt* to revert all changes.
While the Zerologon exploiter is usually successful in reverting its changes
and restoring the original passwords, it sometimes fails. Restoring passwords
manually after the Zerologon exploiter has run is nontrivial. For information
on restoring the original passwords, see the section on manually restoring your
passwords.
To minimize the risk posed by this exploiter, it is recommended that this
exploiter be run _only_ against VMs with a recent snapshot and _only_ in
testing or staging environments.
### Manually restoring your password
This exploiter attempts to restore the original passwords after exploitation.
It is usually successful, but it sometimes fails. If this exploiter has changed
a password but was unable to restore the original, you can try the following
methods to restore the original password.
#### Restore the VM from a recent snapshot
If the affected system is a virtual machine, the simplest way to restore it to
a working state is to revert to a recent snapshot.
#### Restore the administrator's password
If you are unable to log in as the administrator, you can follow the
instructions
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)
to regain access to the system.
#### Use Reset-ComputerMachinePassword
If you are able to login as the administrator, you can use the
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
powershell command to restore the domain controller's password.
#### Try a zerologon password restoration tool
If all other approaches fail, you can try the tools and steps found
[here](https://github.com/risksense/zerologon).
### Notes
* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).

58
docs/content/reference/mitre_techniques.md Normal file
View File

@ -0,0 +1,58 @@
---
title: "MITRE ATT&CK"
date: 2020-09-24T08:18:37+03:00
draft: false
pre: '&nbsp<b><u>&</u></b> '
weight: 10
---
{{% notice info %}}
Check out [the documentation for the MITRE ATT&CK report as well](../../usage/reports/mitre).
{{% /notice %}}
The Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base and based on this,
provides a report detailing the techniques it used and recommended mitigations.
The idea is to help you simulate an APT attack on your network and mitigate real attack paths intelligently.
In the following table we provide the list of all the ATT&CK techniques the Monkey provides info about,
categorized by tactic. You can follow any of the links to learn more about a specific technique or tactic.
| TACTIC | TECHNIQUES |
|--- |--- |
| [Execution](https://attack.mitre.org/tactics/TA0002/) | [Command-line Interface](https://attack.mitre.org/techniques/T1059/) |
| | [Execution Through Module Load](https://attack.mitre.org/techniques/T1129/) |
| | [Execution Through API](https://attack.mitre.org/techniques/T1106/) |
| | [Powershell](https://attack.mitre.org/techniques/T1086/) |
| | [Scripting](https://attack.mitre.org/techniques/T1064/) |
| | [Service Execution](https://attack.mitre.org/techniques/T1035/) |
| | [Trap](https://attack.mitre.org/techniques/T1154/) |
| [Persistence](https://attack.mitre.org/tactics/TA0003/) | [.bash_profile & .bashrc](https://attack.mitre.org/techniques/T1156/) |
| | [Create Account](https://attack.mitre.org/techniques/T1136/) |
| | [Hidden Files & Directories](https://attack.mitre.org/techniques/T1158/) |
| | [Local Job Scheduling](https://attack.mitre.org/techniques/T1168/) |
| | [Powershell Profile](https://attack.mitre.org/techniques/T1504/) |
| | [Scheduled Task](https://attack.mitre.org/techniques/T1053/) |
| | [Setuid & Setgid](https://attack.mitre.org/techniques/T1166/) |
| [Defence Evasion](https://attack.mitre.org/tactics/TA0005/) | [BITS Job](https://attack.mitre.org/techniques/T1197/) |
| | [Clear Command History](https://attack.mitre.org/techniques/T1146/) |
| | [File Deletion](https://attack.mitre.org/techniques/T1107/) |
| | [File Permissions Modification](https://attack.mitre.org/techniques/T1222/) |
| | [Timestomping](https://attack.mitre.org/techniques/T1099/) |
| | [Signed Script Proxy Execution](https://attack.mitre.org/techniques/T1216/) |
| [Credential Access](https://attack.mitre.org/tactics/TA0006/) | [Brute Force](https://attack.mitre.org/techniques/T1110/) |
| | [Credential Dumping](https://attack.mitre.org/techniques/T1003/) |
| | [Private Keys](https://attack.mitre.org/techniques/T1145/) |
| [Discovery](https://attack.mitre.org/tactics/TA0007/) | [Account Discovery](https://attack.mitre.org/techniques/T1087/) |
| | [Remote System Discovery](https://attack.mitre.org/techniques/T1018/) |
| | [System Information Discovery](https://attack.mitre.org/techniques/T1082/) |
| | [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016/) |
| [Lateral Movement](https://attack.mitre.org/tactics/TA0008/) | [Exploitation Of Remote Services](https://attack.mitre.org/techniques/T1210/) |
| | [Pass The Hash](https://attack.mitre.org/techniques/T1075/) |
| | [Remote File Copy](https://attack.mitre.org/techniques/T1105/) |
| | [Remote Services](https://attack.mitre.org/techniques/T1021/) |
| [Collection](https://attack.mitre.org/tactics/TA0009/) | [Data From Local System](https://attack.mitre.org/techniques/T1005) |
| [Command And Control](https://attack.mitre.org/tactics/TA0011/) | [Connection Proxy](https://attack.mitre.org/techniques/T1090/) |
| | [Uncommonly Used Port](https://attack.mitre.org/techniques/T1065/) |
| | [Multi-hop Proxy](https://attack.mitre.org/techniques/T1188/) |
| [Exfiltration](https://attack.mitre.org/tactics/TA0010/) | [Exfiltration Over Command And Control Channel](https://attack.mitre.org/techniques/T1041/)|

6
docs/content/usage/reports/_index.md → docs/content/reports/_index.md
View File

@ -1,13 +1,13 @@
+++
title = "Reports"
date = 2020-06-24T21:16:03+03:00
weight = 5
weight = 40
chapter = true
pre = "<i class='fas fa-scroll'></i> "
+++
# Infection Monkey's Reports
The Monkey offers three reports:
The Infection Monkey offers three reports:
{{% children %}}
{{% children description=true style="p"%}}

37
docs/content/reports/mitre.md Normal file
View File

@ -0,0 +1,37 @@
---
title: "MITRE ATT&CK report"
description: "Maps the Monkey's actions to the MITRE ATT&CK knowledge base"
date: 2020-06-24T21:17:18+03:00
draft: false
---
{{% notice info %}}
Check out [the documentation for other reports available in the Infection Monkey](../) and [the documentation for supported ATT&CK techniques](../../../reference/mitre_techniques).
{{% /notice %}}
The Infection Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base. After simulating an advanced persistent threat (APT) attack, it generates a report summarizing the success of the techniques utilized along with recommended mitigation steps, helping you identify and mitigate attack paths in your environment.
Watch the overview video:
{{% youtube 3tNrlutqazQ %}}
## How to use the report
The MITRE ATT&CK report is centred around the ATT&CK matrix:
![MITRE Report](/images/usage/reports/mitre-report-0.png "MITRE Report")
The Infection Monkey rates your network on the attack techniques it attempted, assigning one of the corresponding labels to each:
- {{< label danger Red >}}: The Infection Monkey **successfully used** this technique in the simulation. This means your network is vulnerable to the technique.
- {{< label warning Yellow >}}: The Infection Monkey **tried to use** the technique, but wasnt successful. This means your network isn't vulnerable to the way Infection Monkey employed this technique.
- {{< label unused "Dark Gray" >}}: The Monkey **didn't try** the technique. Perhaps it wasn't relevant to this network.
- {{< label disabled "Light Gray" >}}: The Monkey **didn't try** the technique since it wasn't configured.
By clicking on each of the listed techniques, you can see exactly how the Infection Monkey used it and any recommended mitigation steps. For example, let's look at the [**Brute Force**](https://attack.mitre.org/techniques/T1110/) technique that's a part of employing the [**Credentials Access**](https://attack.mitre.org/tactics/TA0006/) tactic:
![MITRE Report Credentials Access technique](/images/usage/reports/mitre-report-cred-access.png "MITRE Report Credentials Access technique")
In this example, you can see how the Infection Monkey was able to use an old `root` password to access all machines in the network. When scrolling to the bottom of this list, you can also see the mitigation steps recommended, including reconfiguring your **Account Use Policies** and implementing **Multi-factor Authentication**.
![MITRE Report Credentials Access technique](/images/usage/reports/mitre-report-cred-access-mitigations.png "MITRE Report Credentials Access technique")

0
docs/content/usage/reports/security.files/infection_monkey_security_report_example.pdf → docs/content/reports/security.files/infection_monkey_security_report_example.pdf
View File

98
docs/content/reports/security.md Normal file
View File

@ -0,0 +1,98 @@
---
title: "Security report"
date: 2020-06-24T21:16:10+03:00
draft: false
description: "Provides actionable recommendations and insight into an attacker's view of your network"
---
{{% notice info %}}
Check out [the documentation for other reports available in the Infection Monkey](../).
{{% /notice %}}
The Infection Monkey's **Security Report** provides you with actionable recommendations and insight into an attacker's view of your network. You can download a PDF of an example report here:
{{%attachments title="Download the PDF" pattern=".*(pdf)"/%}}
The report is split into three main categories:
- [Overview](#overview)
- [High-level information](#high-level-information)
- [Used credentials](#used-credentials)
- [Exploits and targets](#exploits-and-targets)
- [Security findings](#security-findings)
- [Recommendations](#recommendations)
- [Machine-related recommendations relating to specific CVEs](#machine-related-recommendations-relating-to-specific-cves)
- [Machine-related recommendations relating to network security and segmentation](#machine-related-recommendations-relating-to-network-security-and-segmentation)
- [The network from the Monkey's eyes](#the-network-from-the-monkeys-eyes)
- [Network infection map](#network-infection-map)
- [Scanned servers](#scanned-servers)
- [Exploits and post-breach actions](#exploits-and-post-breach-actions)
- [Stolen credentials](#stolen-credentials)
## Overview
The overview section of the report provides high-level information about the Infection Monkey's execution and main security findings.
### High-level information
This section shows general information about the Infection Monkey's execution, including which machine the infection originated from and how long the breach simulation took.
![Overview](/images/usage/reports/sec_report_1_overview.png "Overview")
### Used credentials
This section shows which credentials were used for brute-forcing.
![Used Credentials](/images/usage/reports/sec_report_2_users_passwords.png "Used Credentials")
### Exploits and targets
This section shows which exploits were attempted in this simulation and which targets the Infection Monkey scanned and tried to exploit.
![Exploits and Targets](/images/usage/reports/sec_report_3_exploits_ips.png "Exploits and Targets")
### Security findings
This section highlights the most important security threats and issues discovered during the attack.
![Threats and issues](/images/usage/reports/sec_report_4_threats_and_issues.png "Threats and issues")
## Recommendations
This section contains recommendations for improving your security, including actionable mitigation steps.
### Machine-related recommendations relating to specific CVEs
![Machine-related recommendations](/images/usage/reports/sec_report_5_machine_related.png "Machine related recommendations")
### Machine-related recommendations relating to network security and segmentation
![Machine-related recommendations](/images/usage/reports/sec_report_6_machine_related_network.png "Machine related recommendations")
## The network from the Monkey's eyes
This section contains the infection map and summary tables on servers the Infection Monkey found.
### Network infection map
This section shows the network map and a breakdown of how many machines the Infection Monkey breached.
![Network map](/images/usage/reports/sec_report_7_network_map.png "Network map")
### Scanned servers
This section shows the attack surface the Infection Monkey discovered.
![Scanned servers](/images/usage/reports/sec_report_8_network_services.png "Scanned servers")
### Exploits and post-breach actions
This section shows which exploits and post-beach actions the Infection Monkey performed during the simulation.
![Exploits and PBAs](/images/usage/reports/sec_report_9_exploits_pbas.png "Exploits and PBAs")
### Stolen credentials
This section shows which credentials the Infection Monkey was able to steal from breached machines during this simulation.
![Stolen creds](/images/usage/reports/sec_report_10_stolen_credentials.png "Stolen creds")

45
docs/content/reports/zero-trust.md Normal file
View File

@ -0,0 +1,45 @@
---
title: "Zero Trust report"
date: 2020-06-24T21:16:18+03:00
draft: false
description: "Generates a status report with detailed explanations of Zero Trust security gaps and prescriptive instructions on how to rectify them"
---
{{% notice info %}}
Check out [the documentation for other reports available in the Infection Monkey](../).
{{% /notice %}}
The Guardicore Infection Monkey runs different tests to evaluate your network's adherence to the Zero Trust framework's key components established by Forrester, such as whether you have applied segmentation, verified user identities, enabled encryption and more. Then, the Infection Monkey generates a status report with detailed explanations of security gaps and prescriptive instructions for rectifying them.
Watch the overview video here:
{{% youtube z4FNu3WCd9o %}}
## Summary
This diagram provides you with a quick glance at how your organization scores on each pillar of the Forrester Zero Trust model with **Failed**, **Verify**, **Passed** and **Unexecuted** verdicts.
- {{< label danger Failed >}} At least one of the tests related to this component failed. This means that the Infection Monkey detected an unmet Zero Trust requirement.
- {{< label warning Verify >}} At least one of the tests' results related to this component requires further manual verification.
- {{< label success Passed >}} All Tests related to this pillar passed. No violation of a Zero Trust guiding principle was detected.
- {{< label unused Unexecuted >}} This status means no tests were executed for this pillar.
![Zero Trust Report summary](/images/usage/reports/ztreport1.png "Zero Trust Report summary")
## Test Results
This section shows how your network fared against each of the tests the Infection Monkey ran. The tests are ordered by Zero Trust pillar, so you can quickly navigate to the category you want to prioritize.
![Zero Trust Report test results](/images/usage/reports/ztreport2.png "Zero Trust Report test results")
## Findings
This section shows each test's details, including the explicit events and exact timestamps for the activities that took place in your network. This enables you to compare results with your SOC logs and alerts to gain more in-depth insights.
![Zero Trust Report Findings](/images/usage/reports/ztreport3.png "Zero Trust Report Findings")
## Events
Your results are exportable. Click **Export** after clicking on **Events** to view them in a machine-readable format.
![Zero Trust Report events](/images/usage/reports/ztreport4.png "Zero Trust Report events")

10
docs/content/setup/_index.md
View File

@ -9,14 +9,18 @@ tags = ["setup"]
# Setting up Infection Monkey
Setting up Infection Monkey is really easy! First, you need to {{% button href="https://infectionmonkey.com/" icon="fas fa-download" %}}download the Infection Monkey from our site{{% /button %}}.
Setting up the Infection Monkey is easy! First, you need to {{% button href="https://infectionmonkey.com/" icon="fas fa-download" %}}Download the Infection Monkey{{% /button %}}.
Once you've downloaded an installer, you can follow the relevant guide for your environment:
Once you've downloaded an installer, follow the relevant guide for your environment:
{{% children %}}
Once you're done setting the Monkey up, check out our [Getting Started](../usage/getting-started) guide!
After setting the Monkey up, check out our [Getting Started](../usage/getting-started) guide!
{{% notice tip %}}
You can find information about [operating system compatibility and support here](../reference/operating_systems_support).
{{% /notice %}}
{{% notice tip %}}
You can find the binary checksums of our installers to verify their integrity [on this page](../usage/file-checksums).
{{% /notice %}}

12
docs/content/setup/accounts-and-security.md
View File

@ -7,15 +7,17 @@ pre: "<i class='fas fa-user-lock'></i> "
tags: ["usage", "password"]
---
## Security in Infection Monkey
## Security in the Infection Monkey
The first time you launch Monkey Island (Infection Monkey CC server), you'll be prompted to create an account and secure your island. After your account is created, the server will only be accessible via the credentials you chose.
The first time you launch Monkey Island (the Infection Monkey C&C server), you'll be prompted to create an account and secure your island. After account creation, the server will only be accessible via the credentials you entered.
If you want island to be accessible without credentials press *I want anyone to access the island*. Please note that this option is insecure: you should only pick this for use in development environments.
If you want an island to be accessible without credentials, press *I want anyone to access the island*. Please note that this option is insecure, and you should only use it in development environments.
## Resetting account credentials
## Resetting your account credentials
To reset credentials edit `monkey_island\cc\server_config.json` by deleting `user` and `password_hash` variables. Then restart the Monkey Island server and you should be prompted with registration form again.
To reset your credentials, edit `monkey_island\cc\server_config.json` by deleting the `user` and `password_hash` variables.
When you restart the Monkey Island server, you will again be prompted with the registration form.
Example `server_config.json` for account reset:

28
docs/content/setup/aws.md
View File

@ -9,31 +9,41 @@ tags: ["setup", "aws"]
## Deployment
On the [Infection Monkeys AWS Marketplace page](https://aws.amazon.com/marketplace/pp/GuardiCore-Infection-Monkey/B07B3J7K6D), click **Continue to Subscribe**.
On the [Infection Monkey's AWS Marketplace page](https://aws.amazon.com/marketplace/pp/GuardiCore-Infection-Monkey/B07B3J7K6D), click **Continue to Subscribe**.
1. Choose the desired region.
1. Choose an EC2 instance type with at least 1GB of RAM for optimal performance or stick with the recommended.
1. Select the VPC and subnet you want the instance to be in.
1. Choose an EC2 instance type with at least 1GB of RAM for optimal performance or stick with the default recommendation.
1. Select the VPC and subnet you want to use for the new instance.
1. In the Security Group section, make sure ports 5000 and 5001 on the machine are accessible for inbound TCP traffic.
1. Choose an existing EC2 key pair for authenticating with your new instance.
1. Choose an existing EC2 key pair for authenticating with the new instance.
1. Click **Launch with 1-click.**
At this point, AWS will instance and deploy your new machine.
At this point, AWS will instance and deploy the new machine.
When ready, you can browse to the Infection Monkey running on your fresh deployment at:
When ready, you can browse to the Infection Monkey running on the fresh deployment at:
`https://{public-ip}:5000`
You will be presented a login page. Use the username **monkey**, and the new EC2 instaces instance ID for password. You can find the instance id by going to the EC2 console and selecting your instance. It should appear in the details pane below.
You will be presented with a login page. Enter the username **monkey**, and the
new EC2 instance's **instance ID** for your password. To find your instance ID,
go to the EC2 console and select your instance. It should appear in the details
pane below.
![AWS instance ID](../../images/setup/aws/aws-instance-id.png "AWS instance ID")
## Integration with AWS services
The Monkey has built-in integrations with AWS services for better execution and reporting. See [Usage -> Integrations](../../usage/integrations) for more details.
The Infection Monkey has built-in integrations with AWS services for better
execution and reporting. See [Usage -> Integrations](../../usage/integrations)
for more details.
## Upgrading
Currently there's no "upgrade-in-place" option when a new version comes out. To get the new version, you can deploy a new machine from the marketplace. If you'd like to keep your existing configuration, you can export it to a file by using the Export button and then import it to the new Monkey Island.
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, you can deploy a new machine from the marketplace.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

19
docs/content/setup/azure.md
View File

@ -9,26 +9,31 @@ tags: ["setup", "azure"]
## Deployment
Select [Infection Monkey from the Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/guardicore.infection_monkey) and click **GET IT NOW**.
Select the [Infection Monkey from the Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/guardicore.infection_monkey) and click **GET IT NOW**.
1. Under **Basics**:
1. Choose a name for your Infection Monkey instance, such as InfectionMonkey.
1. Choose a username and password or provide a SSH public key for authentication.
1. Choose a resource group and the location your instance will be deployed in.
1. Choose a name for the new Infection Monkey instance, such as InfectionMonkey.
1. Choose a username and password, or provide an SSH public key for authentication.
1. Choose a resource group and the location for the Infection Monkey instance.
1. Under **Size**
1. Choose a machine size with at least 1GB of RAM for optimal performance.
1. Under **Settings**
1. Choose the network the new instance will be a member of.
1. Choose the network for the new instance.
1. In the **Network Security Group** field, make sure ports 5000 and 5001 on the machine are accessible for inbound TCP traffic.
1. Under **Summary**
1. Review the details of the offer and click **Create**.
At this point, Azure will instance and deploy your new machine. When ready, you can browse to the Infection Monkey running on your fresh deployment at:
At this point, Azure will provision and deploy your new machine. When ready,
you can browse to the Infection Monkey running on your fresh deployment at:
`https://{public-ip-address}:5000`
## Upgrading
Currently there's no "upgrade-in-place" option when a new version comes out. To get the new version, you can deploy a new machine from the marketplace. If you'd like to keep your existing configuration, you can export it to a file by using the Export button and then import it to the new Monkey Island.
Currently, there's no "upgrade-in-place" option when a new version is released.
To get the updated version, you can deploy a new machine from the marketplace.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

71
docs/content/setup/debian.md
View File

@ -8,37 +8,57 @@ disableToc: false
tags: ["setup", "debian", "linux"]
---
## Supported Distros
This Debian package has been tested on Ubuntu Bionic 18.04 LTS and Ubuntu Focal 20.04 LTS.
## Deployment
To extract the `tar.gz` file, run `tar -xvzf monkey-island-debian.tar.gz`.
1. Update your package list by running:
```sh
sudo apt update
```
1. If you are using Ubuntu Focal 20.04, run the following commands to install
Python 3.7:
```sh
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.7 python3.7-dev
```
1. Extract the tarball by running:
```sh
tar -xvzf monkey-island-debian.tgz
```
1. Install the Monkey Island Debian package:
```sh
sudo dpkg -i monkey_island.deb # this might print errors
```
1. If, at this point, you receive dpkg errors that look like this:
To deploy the package, once youve extracted it, run the following commands:
```sh
dpkg: error processing package gc-monkey-island (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
gc-monkey-island
```
```sh
sudo apt update
sudo dpkg -i monkey_island.deb # this might print errors
```
It just means that not all dependencies were pre-installed on your system.
That's no problem! Just run the following command, which will install all
dependencies, and then install the Monkey Island:
If at this point, dpkg printed errors that look like this:
```sh
dpkg: error processing package gc-monkey-island (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
gc-monkey-island
```
That just means that not all dependencies were pre-installed on your system. Thats no problem! Just run the following command, which will install all dependencies and then install the Monkey Island:
```sh
sudo apt install -f
```
```sh
sudo apt install -f
```
## Troubleshooting
### Trying to install on Ubuntu <16.04
If youre trying to install the Monkey Island on Ubuntu 16.04 or older, you need to install the dependencies yourself, since Python 3.7 is only installable from the `deadsnakes` PPA. To install the Monkey Island on Ubuntu 16.04, follow the following steps:
If you're trying to install the Monkey Island on Ubuntu 16.04 or older, you
need to install the dependencies yourself, since Python 3.7 is only installable
from the `deadsnakes` PPA. To install the Monkey Island on Ubuntu 16.04, follow
these steps:
```sh
sudo apt update
@ -57,8 +77,13 @@ To check the status of the Monkey Island after the installation, run the followi
## Upgrading
To upgrade when a new version comes out, download the new Monkey `.deb` file and install it. You should see a message like `Unpacking monkey-island (1.8.2) over (1.8.0)`. After which, the installation should complete successfully.
Currently, there's no "upgrade-in-place" option when a new version is released.
To get the updated version, download the new `.deb` file and install it. You
should see a message like `Unpacking monkey-island (1.8.2) over (1.8.0)`. After
which, the installation should complete successfully.
If you'd like to keep your existing configuration, you can export it to a file by using the Export button and then import it to the new server.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

17
docs/content/setup/docker.md
View File

@ -11,20 +11,23 @@ tags: ["setup", "docker", "linux", "windows"]
To extract the `tar.gz` file, run `tar -xvzf monkey-island-docker.tar.gz`.
Once youve extracted the container from the tar.gz file, run the following commands:
Once you've extracted the container from the tar.gz file, run the following commands:
```sh
sudo docker load -i dk.monkeyisland.1.9.0.tar
sudo docker pull mongo
sudo docker load -i dk.monkeyisland.1.10.0.tar
sudo docker pull mongo:4.2
sudo mkdir -p /var/monkey-mongo/data/db
sudo docker run --name monkey-mongo --network=host -v /var/monkey-mongo/data/db:/data/db -d mongo
sudo docker run --name monkey-island --network=host -d guardicore/monkey-island:1.9.0
sudo docker run --name monkey-mongo --network=host -v /var/monkey-mongo/data/db:/data/db -d mongo:4.2
sudo docker run --name monkey-island --network=host -d guardicore/monkey-island:1.10.0
```
## Upgrading
There's no "upgrade-in-place" option for Docker. To get the new version, download it, stop the current container, and run the installation commands again with the new file.
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, download it, stop the current container and run the
installation commands again with the new file.
If you'd like to keep your existing configuration, you can export it to a file by using the Export button and then import it to the new server.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

77
docs/content/setup/vmware.md
View File

@ -9,54 +9,67 @@ tags: ["setup", "vmware"]
## Deployment
1. Deploy the Infection Monkey OVA by choosing Deploy OVF Template and follow the wizard instructions. *Note: make sure port 5000 and 5001 on the machine are accessible for inbound TCP traffic.*
2. Turn on the Infection Monkey VM.
3. Log in to the machine with the following credentials:
1. Deploy the Infection Monkey OVA by choosing **Deploy OVF Template** and
following the wizard instructions. *Note: make sure ports 5000 and 5001 on
the machine are accessible for inbound TCP traffic.*
1. Turn on the Infection Monkey VM.
1. Log in to the machine with the following credentials:
1. Username: **monkeyuser**
2. Password: **Noon.Earth.Always**
4. It's recommended to change the machine passwords by running the following commands: `sudo passwd monkeyuser`, `sudo passwd root`.
1. Password: **Noon.Earth.Always**
1. For security purposes, it's recommended that you change the machine
passwords by running the following commands: `sudo passwd monkeyuser`, `sudo
passwd root`.
## OVA network modes
The OVA can be used in one of two modes:
You can use the OVA in one of two modes:
1. In a network with DHCP configured. In this case, the Monkey Island will automatically query and receive an IP address from the network.
1. With a static IP address.
In this case, you should login to the VM console with
username `root` and password `G3aJ9szrvkxTmfAG`. After logging in, edit the interfaces file. You can do that by writing the following command in the prompt:
1. In a network with the DHCP configured — In this case, the Monkey Island will
automatically query and receive an IP address from the network.
1. With a static IP address — In this case, you should log in to the VM console
with the username `monkeyuser` and the password `Noon.Earth.Always`. After logging
in, edit the Netplan configuration by entering the following command in the
prompt:
```sh
sudo nano /etc/network/interfaces
sudo nano /etc/netplan/00-installer-config.yaml
```
And change the lines:
Make the following changes:
```diff
# This is the network config written by 'subiquity'
network:
ethernets:
ens160:
- dhcp4: true
+ dhcp4: false
+ addresses: [XXX.XXX.XXX.XXX/24]
+ gateway4: YYY.YYY.YYY.YYY
+ nameservers:
+ addresses: [1.1.1.1]
version: 2
```
Replace `XXX.XXX.XXX.XXX` with the desired IP addess of the VM. Replace
`YYY.YYY.YYY.YYY` with the default gateway.
Save the changes then run the command:
```sh
auto ens160
iface ens160 inet dhcp
sudo netplan apply
```
to the following:
```sh
auto ens160
iface ens160 inet static
address AAA.BBB.CCC.DDD
netmask XXX.XXX.XXX.XXX
gateway YYY.YYY.YYY.YYY
```
Save the changes then run the command
```sh
sudo ifdown ens160 && ifup ens160
```
If this configuration does not suit your needs, see
https://netplan.io/examples/ for more information about how to configure
Netplan.
## Upgrading
There's no "upgrade-in-place" option for Docker. To get the new version, download it, stop the current container, and run the installation commands again with the new file.
Currently, there's no "upgrade-in-place" option when a new version is released.
To get an updated version, download the updated OVA file.
If you'd like to keep your existing configuration, you can export it to a file by using the Export button and then import it to the new server.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

21
docs/content/setup/windows.md
View File

@ -9,27 +9,34 @@ tags: ["setup", "windows"]
## Deployment
Run the installer, and you should be met with the following screen:
After running the installer, the following prompt should appear on the screen:
![Windows installer screenshot](../../images/setup/windows/installer-screenshot-1.png "Windows installer screenshot")
1. Follow the steps of the installation.
1. Follow the steps to complete the installation.
1. Run the Monkey Island by clicking on the desktop shortcut.
## Troubleshooting
### Missing windows update
### Missing Windows update
The installer requires [Windows update #2999226](https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows) to be installed. If youre having trouble running the installer, please make sure to install that update via Windows Update or manually from the link.
The installer requires [Windows update #2999226](https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows).
If you're having trouble running the installer, please make sure to install the
update via Windows Update or manually from the link above.
### Supported browsers
The Monkey Island supports Chrome (and Chrome-based) browsers. Some Windows Servers only have Internet Explorer installed. Make sure to use Chrome or a similar modern browser. [You can download Google Chrome from here](https://www.google.com/chrome/).
The Monkey Island supports Chrome (and Chrome-based) browsers. If your Windows
server only has Internet Explorer installed, please install Chrome or a similar
modern browser. [You can download Google Chrome
here](https://www.google.com/chrome/).
## Upgrading
To upgrade, download the new installer and run it. The new Monkey version should be installed over the old one.
To upgrade the Infection Monkey on Windows, download the new installer and run
it. The new Monkey version will be installed over the old version.
If you'd like to keep your existing configuration, you can export it to a file by using the Export button and then import it to the new server.
If you'd like to keep your existing configuration, you can export it to a file
using the *Export config* button and then import it to the new Monkey Island.
![Export configuration](../../images/setup/export-configuration.png "Export configuration")

4
docs/content/usage/_index.md
View File

@ -8,6 +8,6 @@ pre = '<i class="fas fa-users-cog"></i> '
# Usage
If you're just starting with Infection Monkey, check out our [Getting Started](getting-started) page.
If you're new to the Infection Monkey, check out our [Getting Started](getting-started) page.
If you haven't downloaded Monkey yet, {{% button href="https://www.guardicore.com/infectionmonkey/#download" icon="fas fa-download" %}}Get Infection Monkey here{{% /button %}}!
If you haven't downloaded the Infection Monkey yet, {{% button href="https://www.guardicore.com/infectionmonkey/#download" icon="fas fa-download" %}}Get Infection Monkey here{{% /button %}}!

6
docs/content/usage/configuration/_index.md
View File

@ -7,9 +7,9 @@ weight: 3
pre: "<i class='fas fa-sliders-h'></i> "
---
# Configure the Monkey
# Configure the Infection Monkey
The Monkey is highly configurable. Nearly every part of it can be modified to turn it to a fast acting worm or into a port scanning and system information collecting machine.
The Infection Monkey is highly configurable. Nearly every part of it can be modified to turn it into a fast-acting worm or a port scanning and system information collecting machine.
{{% notice warning %}}
This section of the documentation is incomplete and under active construction.
@ -17,4 +17,4 @@ This section of the documentation is incomplete and under active construction.
See these documentation pages for information on each configuration value:
{{% children description=true %}}
{{% children description=true style="p"%}}

4
docs/content/usage/configuration/basic-credentials.md
View File

@ -5,6 +5,6 @@ draft: false
description: "Configure credentials that the Monkey will use for propagation."
---
In this screen you can feed the Monkey with “stolen” credentials for your network, simulating an attacker with inside knowledge.
On this screen you can feed the Infection Monkey “stolen” credentials from your network, simulating an attacker with inside knowledge.
![Configure credentials](/images/usage/configruation/credentials.png "Configure credentials")
![Configure credentials](/images/usage/configuration/credentials.png "Configure credentials")

6
docs/content/usage/configuration/basic-network.md
View File

@ -7,6 +7,6 @@ description: "Configure settings related to the Monkey's network activity."
Here you can control multiple important settings, such as:
* Network propagation depth - How many hops from the base machine will the Monkey spread
* Local network scan - Should the Monkey attempt to attack any machine in its subnet
* Scanner IP/subnet list - Specific IP ranges that the Monkey should try to attack.
* Network propagation depth - How many hops from the base machine will the Infection Monkey spread?
* Local network scan - Should the Infection Monkey attempt to attack any machine in its subnet?
* Scanner IP/subnet list - Which specific IP ranges should the Infection Monkey should try to attack?

168
docs/content/usage/file-checksums.md
View File

@ -20,7 +20,7 @@ Get-FileHash '.\Monkey Island v1.8.2_3536_windows.exe' | Format-List
# Should print
# Algorithm : SHA256
# Hash : 2BE528685D675C882604D98382ADB739F5BA0A7E234E3569B21F535173BD9569
# Path : C:\Users\shay.nehmad\Desktop\work\compiled monkeys\1.8.2\Monkey Island v1.8.2_3536_windows.exe
# Path : C:\Users\shay.nehmad\Desktop\work\compiled monkeys\1.8.2\Monkey Island v1.8.2_3536_windows.exe <-- Your path will be different
```
### On Linux
@ -28,27 +28,163 @@ Get-FileHash '.\Monkey Island v1.8.2_3536_windows.exe' | Format-List
Use the `sha256sum` <i class="fas fa-terminal"></i> shell command, like so:
```sh
sha256sum monkey-linux-64
$ sha256sum monkey-linux-64
# Should print:
# 734dd2580f3d483210daf54c063a0a972911bbe9afb6ebc6278f86cd6b05e7ab monkey-linux-64
```
## Latest version checksums
| Filename | Type | Version | SHA256 hash |
|-|-|-|-|
monkey-windows-64.exe | Windows Agent | 1.8.2 | `2e6a1cb5523d87ddfd48f75b10114617343fbac8125fa950ba7f00289b38b550`
monkey-windows-32.exe | Windows Agent | 1.8.2 | `86a7d7065e73b795e38f2033be0c53f3ac808cc67478aed794a7a6c89123979f`
monkey-linux-64 | Linux Agent | 1.8.2 | `4dce4a115d41b43adffc11672fae2164265f8902267f1355d02bebb802bd45c5`
monkey-linux-32 | Linux Agent | 1.8.2 | `39d3fe1c7b33482a8cb9288d323dde17b539825ab2d736be66a9582764185478`
infection_monkey_deb.tgz | Debian Package | 1.8.2 | `2a6b4b9b846566724ff985c6cc8283222b981b3495dd5a8920b6bc3f34d556e2`
Monkey Island v1.8.2_3536_windows.exe | Windows Installer | 1.8.2 | `2be528685d675c882604d98382adb739f5ba0a7e234e3569b21f535173bd9569`
Monkey Island v1.8.2_3536_windowszt.exe | Windows Installer | 1.8.2 | `f282ce4dd50abe54671948fb5b3baf913087459444e451660971290a72fe244a`
infection_monkey_docker_docker_20200607_172156.tgz | Docker | 1.8.2 | `0e4bc731ef7e8bf19b759709672375890136c008526be454850d334d9ba5012d`
infection_monkey_docker_dockerzt_20200607_172521.tgz | Docker | 1.8.2 | `0f4b0cd6fd54dc14ea50c5d2fb3fc711e9863518bd5bffd04e08a0f17eb99e75`
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.10.0 | `3b499a4cf1a67a33a91c73b05884e4d6749e990e444fa1d2a3281af4db833fa1` |
| monkey-windows-32.exe | Windows Agent | 1.10.0 | `8e891e90b11b97fbbef27f1408c1fcad486b19c612773f2d6a9edac5d4cdb47f` |
| monkey-linux-64 | Linux Agent | 1.10.0 | `932f703510b6484c3824fc797f90f99722e38a7f8956cf6fa58fdecb3790ab93` |
| monkey-linux-32 | Linux Agent | 1.10.0 | `a6de7d571051292b9db966afe025413dc20b214c4aab53e48d90d8e04264f4f5` |
| infection_monkey_deb.tgz | Debian Package | 1.10.0 | `534d85c4abc78e2c86a74d8b88759b091b62077dd9e32f02eeb43d716d359ff6` |
| infection_monkey_debzt.tgz | Debian Package | 1.10.0 | `bd01d8482f80990e6cc0ed654c07dbd80da71eebe3dd244365e9bc00f86b1c03` |
| Monkey Island v1.10.0_3593_windows.exe | Windows Installer | 1.10.0 | `ebd2c5627d21dd8670def02c3a5a995f9e799ba567cf4caacd702654264ddf06` |
| Monkey Island v1.10.0_3593_windowszt.exe | Windows Installer | 1.10.0 | `60aaf3b32e5d06c91fe0d4f1b950529517ac33796f67e9ccfef0e8ce1c5372d8` |
| infection_monkey_docker_docker_20210326_171631.tgz | Docker | 1.10.0 | `e4f9c7c5aafe7e38b33d2927a9c0cf6a3ac27858d3d0e3f2252c2e91809a78db` |
| infection_monkey_docker_dockerzt_20210326_172035.tgz | Docker | 1.10.0 | `248640e9eaa18e4c27f67237f0594d9533732f372ba4674d5d1bea43ab498cf5` |
| monkey-island-vmware.ova | OVA | 1.10.0 | `3472ad4ae557ddad7d7db8fbbfcfd33c4f2d95d870b18fa4cab49af6b562009c` |
| monkey-island-vmwarezt.ova | OVA | 1.10.0 | `3472ad4ae557ddad7d7db8fbbfcfd33c4f2d95d870b18fa4cab49af6b562009c` |
## All checksums
### 1.8.0 and older
## Older checksums
You can find all these checksums in [this page](https://www.guardicore.com/infectionmonkey/checksums.html).
| Filename | Type | Version | SHA256 |
|------------------------------------------------------|-------------------|---------|--------------------------------------------------------------------|
| monkey-windows-64.exe | Windows Agent | 1.9.0 | `24622cb8dbabb0cf4b25ecd3c13800c72ec5b59b76895b737ece509640d4c068` |
| monkey-windows-32.exe | Windows Agent | 1.9.0 | `67f12171c3859a21fc8f54c5b2299790985453e9ac028bb80efc7328927be3d8` |
| monkey-linux-64 | Linux Agent | 1.9.0 | `aec6b14dc2bea694eb01b517cca70477deeb695f39d40b1d9e5ce02a8075c956` |
| monkey-linux-32 | Linux Agent | 1.9.0 | `4c24318026239530ed2437bfef1a01147bb1f3479696eb4eee6009326ce6b380` |
| infection_monkey_deb.tgz | Debian Package | 1.9.0 | `33c23ddae283e3aafe965d264bc88464b66db3dd6874fd7e5cbcd4e931b3bb25` |
| infection_monkey_debzt.tgz | Debian Package | 1.9.0 | `cc53fe9632f44248357d6bd20cf8629be9baf8688468fa6d3e186dcebf10cef6` |
| Monkey Island v1.9.0_3546_windows.exe | Windows Installer | 1.9.0 | `371f6d25e8cb16ea7ebdfd367092ee65b33db2ec35b44d96705716641eaa59e8` |
| Monkey Island v1.9.0_3546_windowszt.exe | Windows Installer | 1.9.0 | `662c611fb83bb8c7ef5f99c5d5ae04f5758727c688238d6a3cd4c58675581695` |
| infection_monkey_docker_docker_20200806_153913.tgz | Docker | 1.9.0 | `5da11c539045a395ced5dd572d331c4f0e9315a3ee192c06279ff4fef668b96e` |
| infection_monkey_docker_dockerzt_20200806_154742.tgz | Docker | 1.9.0 | `a84dbaad32ae42cc2d359ffbe062aec493a7253cf706a2d45f0d0b1c230f9348` |
| monkey-island-vmware.ova | OVA | 1.9.0 | `3861d46518e8a92e49992b26dbff9fe8e8a4ac5fd24d68e68b13e7fd3fa22247` |
| monkey-island-vmwarezt.ova | OVA | 1.9.0 | `03d356eb35e6515146f5bd798bb62cb15c56fcdf83a5281cf6cdc9b901586026` |
| monkey-windows-64.exe | Windows Agent | 1.8.2 | `2e6a1cb5523d87ddfd48f75b10114617343fbac8125fa950ba7f00289b38b550` |
| monkey-windows-32.exe | Windows Agent | 1.8.2 | `86a7d7065e73b795e38f2033be0c53f3ac808cc67478aed794a7a6c89123979f` |
| monkey-linux-64 | Linux Agent | 1.8.2 | `4dce4a115d41b43adffc11672fae2164265f8902267f1355d02bebb802bd45c5` |
| monkey-linux-32 | Linux Agent | 1.8.2 | `39d3fe1c7b33482a8cb9288d323dde17b539825ab2d736be66a9582764185478` |
| infection_monkey_deb.tgz | Debian Package | 1.8.2 | `2a6b4b9b846566724ff985c6cc8283222b981b3495dd5a8920b6bc3f34d556e2` |
| Monkey Island v1.8.2_3536_windows.exe | Windows Installer | 1.8.2 | `2be528685d675c882604d98382adb739f5ba0a7e234e3569b21f535173bd9569` |
| Monkey Island v1.8.2_3536_windowszt.exe | Windows Installer | 1.8.2 | `f282ce4dd50abe54671948fb5b3baf913087459444e451660971290a72fe244a` |
| infection_monkey_docker_docker_20200607_172156.tgz | Docker | 1.8.2 | `0e4bc731ef7e8bf19b759709672375890136c008526be454850d334d9ba5012d` |
| infection_monkey_docker_dockerzt_20200607_172521.tgz | Docker | 1.8.2 | `0f4b0cd6fd54dc14ea50c5d2fb3fc711e9863518bd5bffd04e08a0f17eb99e75` |
| monkey-windows-64.exe | Windows Agent | 1.8.0 | `f0bc144ba4ff46094225adaf70d3e92e9aaddb13b59e4e47aa3c2b26fd7d9ad7` |
| monkey-windows-32.exe | Windows Agent | 1.8.0 | `1ddb093f9088a4d4c0af289ff568bbe7a0d057e725e6447055d4fe6c5f4e2c08` |
| monkey-linux-64 | Linux Agent | 1.8.0 | `d41314e5df72d5a470974522935c0b03dcb1c1e6b094d4ab700b04d5fec59ae6` |
| monkey-linux-32 | Linux Agent | 1.8.0 | `217cc2b9481f6454fa0a13adf12d9b29ce4e1e6a319971c8db9b446952ce3fb2` |
| infection_monkey_deb.tgz | Debian Package | 1.8.0 | `9c5254583ce786768ea55df8063152bd19e0f21a83e6f4f873c5dccc5a1c9d5e` |
| infection_monkey_debzt.tgz | Debian Package | 1.8.0 | `90A0824EC98680944B15B86CF5CFA09D48EDA406300C4CAE54432DB05F486D07` |
| Monkey Island v1.8.0_3513_windows.exe | Windows Installer | 1.8.0 | `ce9a9d0539c14ebe2a10cf3b36991b309abd7b62dd7fb7522a549d8987b0f0f4` |
| Monkey Island v1.8.0_3514_windowszt.exe | Windows Installer | 1.8.0 | `0b535a802ac43455d702b45673859b940c1feb7702b46a6a2cbc699672b0c89d` |
| infection_monkey_docker_docker_20200330_201419.tgz | Docker | 1.8.0 | `4f15a5008e43d8c5184456771dd9e8d70104b4ec79e34b53d230662604a7d190` |
| infection_monkey_docker_dockerzt_20200401_174529.tgz | Docker | 1.8.0 | `d94404134d879f3d859c77454df4abd0dbca00b8cae4b1c52d3b38e847f34e4c` |
| monkey-island-vmware.ova | OVA | 1.8.0 | `6BC4E85A0EA81045BD88E2D5A9F98F0DD40DE99E94D1E343D13FA418045A6915` |
| monkey-island-vmwarezt.ova | OVA | 1.8.0 | `79A043D85521F94024F8B0428A7A33B4D3F5B13F9D2B83F72C73C8D0BB12ED91` |
| monkey-linux-64 | Debian Package | 1.8.0 | `b0de3931f6b9c2d986860151e5094e4c57aafa5e3e4aced828ecba36e4ece851` |
| infection_monkey_docker_docker_20200330_201419.tgz | Docker | 1.8.0 | `4f15a5008e43d8c5184456771dd9e8d70104b4ec79e34b53d230662604a7d190` |
| Monkey Island v1.8.0_3513_windows.exe | Windows Installer | 1.8.0 | `ce9a9d0539c14ebe2a10cf3b36991b309abd7b62dd7fb7522a549d8987b0f0f4` |
| monkey-windows-64.exe | Windows Agent | 1.8.0 | `f0bc144ba4ff46094225adaf70d3e92e9aaddb13b59e4e47aa3c2b26fd7d9ad7` |
| monkey-linux-64 | Linux Agent | 1.8.0 | `d41314e5df72d5a470974522935c0b03dcb1c1e6b094d4ab700b04d5fec59ae6` |
| monkey-windows-32.exe | Windows Agent | 1.8.0 | `1ddb093f9088a4d4c0af289ff568bbe7a0d057e725e6447055d4fe6c5f4e2c08` |
| monkey-linux-32 | Linux Agent | 1.8.0 | `217cc2b9481f6454fa0a13adf12d9b29ce4e1e6a319971c8db9b446952ce3fb2` |
| infection_monkey_deb.tgz | Debian Package | 1.8.0 | `9c5254583ce786768ea55df8063152bd19e0f21a83e6f4f873c5dccc5a1c9d5e` |
| infection_monkey_debzt.tgz | Debian Package | 1.8.0 | `90A0824EC98680944B15B86CF5CFA09D48EDA406300C4CAE54432DB05F486D07` |
| infection_monkey_docker_docker_20200401_174048.tgz | Docker | 1.8.0 | `ae59b222a94e1ec83a1c36917bc5cd3d119057e146ac01242af91808f3dce37a` |
| infection_monkey_docker_dockerzt_20200401_174529.tgz | Docker | 1.8.0 | `d94404134d879f3d859c77454df4abd0dbca00b8cae4b1c52d3b38e847f34e4c` |
| Monkey Island v1.8.0_3514_windows.exe | Windows Installer | 1.8.0 | `a56bd98ca3d0dd260f26ac5ee46022fd5ca3f9081a43535b4f57cef43c345dc0` |
| Monkey Island v1.8.0_3514_windowszt.exe | Windows Installer | 1.8.0 | `0b535a802ac43455d702b45673859b940c1feb7702b46a6a2cbc699672b0c89d` |
| Monkey Island v1.8.0_3516_windows.exe | Windows Installer | 1.8.0 | `a31a3837d8ca722e8db10148704237b032e5ef62acc080a82ab80f009d8de6bd` |
| Monkey Island v1.8.0_3517_windows.exe | Windows Installer | 1.8.0 | `450e9ea58a5282f506f819bdc3d4477bbc917d74ee837ca0cc3e62b4a923fef1` |
| Monkey Island v1.8.0_3519_windows.exe | Windows Installer | 1.8.0 | `dfaf7b11b148a5648ca92887d731633f85b68dc82313616f0009eee123c47352` |
| Monkey Island v1.8.0_3520_windows.exe | Windows Installer | 1.8.0 | `719427a7f1878555d6940485330f51e2ddb3331c96b60a1719f6e21987efb3d3` |
| Monkey Island v1.8.0_3521_windows.exe | Windows Installer | 1.8.0 | `a9a37ec2677fc7d224c5993f914ba402c9f86c2f909dc5d649f67d08802dc847` |
| Monkey Island v1.8.0_3522_windows.exe | Windows Installer | 1.8.0 | `4aaa5a99a108ab3cb14b9268a32ac68cb2de4a001ae0e4374ca779824981ea64` |
| Monkey Island v1.8.0_3523_windows.exe | Windows Installer | 1.8.0 | `4f029d2683cf68e63f8b426fa19df9561add0ed169821b4fc83c2721f0939520` |
| Monkey Island v1.8.0_3525_windows.exe | Windows Installer | 1.8.0 | `4a660cf5eda5beae844e5a62031972304eaa0432c32708f11d94dc0a501be182` |
| Monkey Island v1.8.0_3525_windowszt.exe | Windows Installer | 1.8.0 | `980ba04ef9f6395e2885851f906ee3ed57d696a2e984aa1e7a59446a57ce0408` |
| infection_monkey_docker_docker_20200419_160310.tgz | Docker | 1.8.0 | `999edc833484f51475db5a56e0557b59d09f520453b8077c60f7d9359b504299` |
| infection_monkey_docker_dockerzt_20200419_160542.tgz | Docker | 1.8.0 | `87ec632837d4add968831ee7fd271871f89e5b29e251d046ebf100bc94bb755e` |
| Monkey Island v1.8.0_3526_windows.exe | Windows Installer | 1.8.0 | `6b6c05f3575eef9b95c1624f74953e54654211de4ae1ad738b287e661f002989` |
| Monkey Island v1.8.0_3526_windowszt.exe | Windows Installer | 1.8.0 | `f181e58820817d76274fab3ee2a7824fc0d5b1f637d7f5c7fe111eb7061844f2` |
| Monkey Island v1.8.0_3527_windows.exe | Windows Installer | 1.8.0 | `94c2e09ca103bc22206715783616af91e58fe773a04c975d6a09d48d9a5759b2` |
| infection_monkey_docker_docker_20200420_151527.tgz | Docker | 1.8.0 | `fe4512fd46c3be6c9416287e3a703e8453a46a17b05404ba72035036946f6dbd` |
| infection_monkey_docker_docker_20200420_153306.tgz | Docker | 1.8.0 | `17ef5de58a49168a70085cb80063355ac489139c88d029d175a09e36524fe224` |
| infection_monkey_docker_docker_20200420_174533.tgz | Docker | 1.8.0 | `fcf57ab8b1b77bcf678765c90798b950fd4a62019c48ebeeac37e9d3011b6b2e` |
| infection_monkey_docker_docker_20200427_184208.tgz | Docker | 1.8.0 | `082165abd8c45d9731472ae0877fecedfbcefcff8c0003b43d4300854908f0cb` |
| infection_monkey_docker_dockerzt_20200427_184441.tgz | Docker | 1.8.0 | `74f824ecb14f5d47182156999d5aeaf2177d719c6f53ed81b68606b2ed931647` |
| Monkey Island v1.8.0_3528_windows.exe | Windows Installer | 1.8.0 | `baa13321c88223acd0262137ba018f9cbea869b5d1920565a5e6c8eb2c83b80e` |
| Monkey Island v1.8.0_3528_windowszt.exe | Windows Installer | 1.8.0 | `466f7c3aa052163f10e154ec787b31a98b54ced8cffc17373525e8ca39ec2556` |
| monkey-island-vmware.ova | OVA | 1.8.0 | `6BC4E85A0EA81045BD88E2D5A9F98F0DD40DE99E94D1E343D13FA418045A6915` |
| monkey-island-vmwarezt.ova | OVA | 1.8.0 | `79A043D85521F94024F8B0428A7A33B4D3F5B13F9D2B83F72C73C8D0BB12ED91` |
| monkey_island_vmware.deb | VMWare Debian | 1.7.0 | `8F77347343B1D070C4BCC43A6CF5971F086665206F76AD1304359ADB388C55DE` |
| dk.monkeyisland.latest.tar | Docker | 1.7.0 | `E92CD45DB172342FE906FEFA7F26BACB2F59C2BE8484756B71CD1BDEBCCA8BFB` |
| monkey-windows-32.exe | Agent | 1.7.0 | `00E121EC8AA3519498D225066A3BC29984A7DA2A6F4F0641ED465FD64107A117` |
| Monkey Island v1.7.0.3478.exe | Windows Installer | 1.7.0 | `AFC969884939DBE37DA6B8AD4999CA6E9F18E54BA03AC0C04C59ABB6D6204634` |
| monkey_island.deb | Debian | 1.7.0 | `4AE051BC47B39FA05937994B3D24226771D03891AB2EA484FD7B4AADC0C5E220` |
| monkey-windows-64.exe | Agent | 1.7.0 | `BCF60E0C4BC2578361CCACDA0C183B726AF375F0142306CA9013A14BBA9B962C` |
| monkey-linux-64 | Agent | 1.7.0 | `333529B3061473BF5EE713FA7E3DF4B05DD01823840BB92E1E715488A749B9EA` |
| monkey-linux-32 | Agent | 1.7.0 | `EF7A72FFDDF3A54C74F458201A45B51B779A68C460A309B0D5FD247264D7137D` |
| Monkey Island 1.7.0 OVA 20191013.ova | OVA | 1.7.0 | `EB1D568F1EA9236B3402A65484EE1F06350FF5C4097288F3FE3312474ECB48C7` |
| dk.monkeyisland.latest.zt.tar | Docker | 1.7.0 | `C998FD7CC73F394CD39450E49586397F721D8B7F2DFA4CFE30EC797864588C72` |
| Monkey Island v1.7.0 zt.exe | Windows Installer | 1.7.0 | `5C6DADDD3BCF0766DB515DC911DC80D7D11DFF8A72BCBBBE21DEB3C9F78B6889` |
| monkey_island_zt.deb | Debian | 1.7.0 | `A0515FBCFD9590CEA739E1AFA95CE7FC406C5E4206A67A50C8CD2423540818C8` |
| monkey_island_vmware_zt.deb | VMWare Debian | 1.7.0 | `80EDB3FB846251C7B80B72259837629F17A4166C34FE440451BDD7ED8CC43F7F` |
| Monkey Island 1.7.0 ZT OVA 20191013.ova | OVA | 1.7.0 | `D220E171CF38DCD434AB4473C72CE29873A495B16FFAA8CA55658F5606398E34` |
| infection_monkey_deb_vmware.20190519_125330.tgz | VMWare | 1.6.3 | `22e51f089e6537e2cb349b07b4bf22c7a63c68ae12776a7b5239a0238bf02a05` |
| infection_monkey_deb_gcp.20190519_125239.tgz | GCP | 1.6.3 | `b8fdb976af8130329265bd3ad36b553864f6f7a2a2df912cfea4215584774686` |
| infection_monkey_docker.20190519_125632.tgz | Docker | 1.6.3 | `5576e20fe8ee502a7b452b504789961aedae214e49061a58ca0f248cc72c1c78` |
| monkey-windows-32.exe | Agent | 1.6.3 | `6f68d436a2a85852b02e4d72d4202919753a78e5285c36bd1a5481c8711b1d6b` |
| Monkey Island v1.6.3.3468.exe | Windows Installer | 1.6.3 | `69cb63612855165db97eb3c253e5a6f627fe216e0610eca5e5e6f875281a3604` |
| infection_monkey_deb.20190519_124555.tgz | Debian | 1.6.3 | `2389b553bd569defa4b81053984f0743b1b4093cdcfcf8561243b9d882d55e83` |
| monkey-windows-64.exe | Agent | 1.6.3 | `502c749ede6e09b8c40bc4bbfd2a46c95d3626a1aef74c72ac7b5641595e8c9c` |
| monkey-linux-64 | Agent | 1.6.3 | `6cfec4aea2f993294ca32f816a85347be8b155fb9c39706c82866bce8d8f87c1` |
| monkey-linux-32 | Agent | 1.6.3 | `996b3883e9b1114b274bf25426ee13060b65f8deb08c96b57857b99d8e8e3277` |
| Infection Monkey 1.6.3.ova | OVA | 1.6.3 | `a5b6e7d547ad4ae79508301698d99cbaf3b3ebfb1d2f0274ae1151d803def1e4` |
| infection_monkey_deb_azure.20190519_125317.tgz | Azure | 1.6.3 | `fcf1b6bf805f4422deb90f25752573f796d5a73e148086f49db310208b02c829` |
| infection_monkey_deb_aws.20190519_130517.tgz | AWS | 1.6.3 | `9c232f5d2f9dc24c9faea3cf597af783798baedb61334e0e650ca79bdac29fec` |
| Infection Monkey 1.6.2.ova | OVA | 1.6.2 | `00346E6383E7BBDB107C14B668D251513E150C089A26AAFA3E17040D96C7DEC9` |
| infection_monkey_deb.1.6.2.tgz | Debian | 1.6.2 | `56BF1D99DD6674F9D3504D5DD5A62D8B3520B4F25449ED0026E5A0DC99BD0683` |
| infection_monkey_1.5_docker.tgz | Docker | 1.6.2 | `2466B4FFFE175EC5DEF0CAACF93EE5CC7D8878DBA63B30F148C560A6AFA5B537` |
| Monkey Island v1.6.2.3434.exe | Windows Installer | 1.6.2 | `2B0BFD5721897787536F4F94D5641E061833CBEF0279C0E38C41BC1B3E76A380` |
| Monkey-Linux-32 | Agent | 1.6.1 | `9E5F8FA7F85FEB1BC31E0AE7D1F303139CA3FE5FA044E6C58F68B4917D27CACE` |
| Monkey-Linux-64 | Agent | 1.6.1 | `74F9FFBB504FF5E74EFF1399685C0C110EDE0D3244F61591D77EE7A22672457E` |
| Monkey-Windows-32.exe | Agent | 1.6.1 | `53AC0F047CA95A0476944559F6FC650ADA865891139FA1258B35A5A525BC6002` |
| Monkey-Windows-64.exe | Agent | 1.6.1 | `53019FD25CD4A0AE526696EB05E2EEDE32607263C5F29BE36554D637532D41C3` |
| infection_monkey_1.5.2.ova | OVA | 1.5.2 | `6E6CAABBA7CCDB20E981147560353EC731B1FC8955D0319886D36E9825C201C7` |
| infection_monkey_1.5_deb.tgz | Debian | 1.5.2 | `E84EFA3C20A417D13DC6EA64CB046D40ED7534A6FBB91EBF6EA061716A855A17` |
| infection_monkey_1.5_docker.tgz | Docker | 1.5.2 | `0D33C17556FAC28874A2FE9157DB311892B42669E51C043C4DAE2F68B0D74B8F` |
| Monkey-Linux-32 | Agent | 1.5.2 | `4DF689A845FD7092E81ECB0AB5207621836B3D46B71FB3829E5E5CF9DDAF52D0` |
| Monkey-Linux-64 | Agent | 1.5.2 | `99FC4BB24D2EFF1CD107CCE932EA0BDC006ED2226AE0DC19DD0BC7A97ADB553F` |
| Monkey-Windows-32.exe | Agent | 1.5.2 | `8FC1441B87BDFD786A3A262542C013E4C84AC870C847A919CDA0851F91A511B9` |
| Monkey-Windows-64.exe | Agent | 1.5.2 | `0AE8F0AB190E8BEAE78AB12C8477C924FE92B19B1E079B279F4F87AE4BD2A718` |
| infection_monkey_deb.20180402_184213.tgz | Debian | 1.5.1 | `4425FC97DE825715837783258FD8BCF88E87AAB3500F63D287384B9D74D54122` |
| Monkey Island v1.5.1.3377.exe | Windows Installer | 1.5.1 | `5A137ADA97F39F4C3CA278E851D2684B929911639E2876EB4DF1D1AC5D70E27D` |
| infection_monkey_docker.20180402_184212.tgz | Docker | 1.5.1 | `049831C3F9C959128C5C8D9843819A4ED960FF046B1536216B5FA5FF4B28D1A6` |
| Monkey-Linux-32 | Agent | 1.6 | `665E1263347B9D0245211676496E91669809B3865ED8B5AD1878DA54A9784F5C` |
| Monkey-Linux-64 | Agent | 1.6 | `F0D51E7431CF07A842D4D25AAE2DD8A6B9EE08744914729AF448F92088798F7F` |
| Monkey-Windows-32.exe | Agent | 1.6 | `77AC4264715A6E7D238F8B67ED04EE75CF75C07D360A4B649CA6E31C83CE7B21` |
| Monkey-Windows-64.exe | Agent | 1.6 | `0DEED0AA00F7D54B084EF6888731B0CFEC6382045A74B55162FDD3D00D0BE9F8` |
| Monkey Island v1.6.0.3414.exe | Windows installer | 1.6 | `242879983A709D7CD6D7D7EEC493442B7FACC8E215CBB21650915C5EECB8829A` |
| infection_monkey_1.6.ova | OVA | 1.6 | `831FBA09AA49940B1747164BEB6B4AF83BA04FCE35285912AB0B18A7FA1A39D8` |
| infection_monkey_deb.1.6.tgz | Debian | 1.6 | `339EC88DD6A2AB6CB917456AA8970B0F1D36D7335E7D2EE1A34B74047F843542` |
| infection_monkey_docker.1.6.tgz | Docker | 1.6 | `0624CF75C4D208DDC7475636CFE2869BA324DEB88C3860DB2934E7BDA3E664F6` |
| infection_monkey.ova | OVA | 1.5 | `A6773C4DA8FF7A09C0F3FEE45A25D45830C616AACCEC14C86542462ADCDA1F89` |
| infection_monkey_deb.20180208_175917.tgz | Debian | 1.5 | `04E3CD3CD301A44BEE508C1BF993948B89212EF3269D61FB13ECB9FDC25268DB` |
| infection_monkey_docker.20180119_112852.tgz | Docker | 1.5 | `4D94C6BB7B4A0177CC1F3E864FB714015619ACB4DD1C4E92D8986BA093F8BD87` |
| Monkey Island v1.5.0.exe | Windows installer | 1.5 | `A1D7725AF116AE33CEA9A0E641E61C96E51FAFCCCB598F668EB99E35DE799C7B` |
| infection_monkey_1.5_deb.tgz | Debian | 1.5 | `1433B8A5E778F12C9E8AE4B1BCBF2863E0CC5E001D661C8540804B909B9D83C5` |
| infection_monkey_1.5_docker.tgz | Docker | 1.5 | `22B7FDC4C213F0385AEB9F63E60665470C2862C8C1B45B5B49FBF320570A9082` |
| Monkey Island v1.5.0.3371.exe | Windows Installer | 1.5 | `B69997E9920E73F16896D3E793AB721388E5636DB1846D4BFEC1C7A372EE2059` |
| infection_monkey_1.5_deb.tgz | Debian | 1.5 | `00EB499FCC590950723E42784D3502B70EAD8AD396B916AF450AB1A48DF993ED` |
| infection_monkey_1.5_docker.tgz | Docker | 1.5 | `A8670280A07EF6A9F5DC9CEB4B11B25DD7B90C37AD94666A6FFAABD6D105F0CB` |
| Monkey Island v1.5.0.exe | Windows Installer | 1.5 | `55F39C8EEB04089F54C10C991A82FE1539BC072E1A7F364D0C720CBF0A28EBB7` |
| Monkey-Linux-32 | Agent | 1.5 | `B85E10AEF0B6935B0AF6EFEA03C9A684859F2DD078B31D9492E98585E2E89C39` |
| Monkey-Linux-64 | Agent | 1.5 | `44BA13A7391D4A16C46D5EF44F60B09E1EDCEB3C716C0AF4241F166619A62944` |

24
docs/content/usage/getting-started.md
View File

@ -7,32 +7,34 @@ pre: "<i class='fas fa-play-circle'></i> "
tags: ["usage"]
---
If you haven't deployed the Monkey Island yet, please [refer to our setup documentation](/setup).
## Using the Infection Monkey
After deploying the Monkey Island in your environment, navigate to `https://<server-ip>:5000`.
### First-time setup
### First-time login
On your first login, you'll be asked to set up a username and password for the Monkey Island server. [See this page for more details](../accounts-and-security).
On your first login, you'll be asked to create a username and password for the Monkey Island server. [See this page for more details](../../setup/accounts-and-security).
### Run the Monkey
### Running the Infection Monkey
To get the Infection Monkey running as fast as possible, click **Run Monkey**. Optionally, you can configure the Monkey before you continue by clicking **Configuration** (see [how to configure the monkey](../configuration)).
To get the Infection Monkey running as fast as possible, click **Run Monkey**. Optionally, you can configure the Infection Monkey before you continue by clicking on **Configuration** (see [how to configure the Infection Monkey](../configuration)).
To run the monkey, select one of the following options:
To run the Infection Monkey, select one of the following options:
![Run Page](/images/usage/getting-started/run_page_with_arrows.jpg "Run Page")
1. Click **Run on C&C Server** to run the Infection Monkey on the Monkey Island server. This simulates an attacker trying to propagate through local network from Monkey Island machine.
2. Click **Run on machine of your choice** to download and execute the Infection Monkey on a machine of your choice. Then follow the instructions and execute the generated command on the machine of your choice. This simulates an attacker who has breached one of your servers. The Monkey will map all accessible machines and their open services and try to steal credentials and use its exploits to propagate.
1. Click **Run on C&C Server** to run the Infection Monkey on the Monkey Island server. This simulates an attacker trying to propagate through your local network from the Monkey Island machine.
2. Click **Run on machine of your choice** to download and execute the Infection Monkey on a machine of your choice. Then follow the instructions and run the generated command on the machine you selected. This simulates an attacker who has breached one of your servers. The Infection Monkey will map all accessible machines and their open services, attempting to steal credentials and use exploits to propagate.
![Run on machine of your choice](/images/usage/getting-started/run_page_button_no_arrow.jpg "Run on machine of your choice")
{{% notice tip %}}
If you're running in an AWS cloud environment, check out [Usage -> Integrations](../../usage/integrations) for information about how Monkey integrates with AWS.
If you're running the Infection Monkey in an AWS cloud environment, check out [Usage -> Integrations](../../usage/integrations) for information about how it integrates with AWS.
{{% /notice %}}
### Infection Map
### Infection map
Next, click **Infection Map** to see the Infection Monkey in action.
@ -46,8 +48,8 @@ Within a few minutes, the Infection Monkey should be able to find and attack acc
![Middle of Monkey execution](/images/usage/getting-started/single_exploitation.JPG "Middle of Monkey execution")
As the Infection Monkey continues, the map should be filled with accessible and “hacked” machines. Once all the Infection Monkeys have finished propagating, click **Reports** to see the reports. See [Infection Monkey Reports](../reports) for more info.
As the simulation continues, the Infection Monkey will fill in the map with data on accessible and "hacked" machines. Once all the Infection Monkeys have finished propagating, click **Reports** to see the reports. See [Infection Monkey Reports](../reports) for more info.
![End of Monkey execution](/images/usage/getting-started/exploitation_tunneling_arrow.jpg "End of Monkey execution")
Congratulations, you finished first successful execution of the Infection Monkey! 🎉 To thoroughly test your network, you can run the Infection Monkey from different starting locations using different configurations.
Congratulations, you finished your first successful execution of the Infection Monkey 🎉 ! To thoroughly test your network, you can run the Infection Monkey from different starting locations and use different configurations.

6
docs/content/usage/integrations/_index.md
View File

@ -7,8 +7,8 @@ weight: 10
pre: "<i class='fas fa-directions'></i> "
---
# Integrate the Monkey with 3rd party software
# Integrate the Infection Monkey with third-party software
The Monkey likes working together. See these documentation pages for information on each integration the Monkey currently offers:
The Infection Monkey likes working together! See these documentation pages for information on each integration the Infection Monkey currently offers:
{{% children description=true %}}
{{% children description=true style="p"%}}

43
docs/content/usage/integrations/aws-run-on-ec2-machine.md
View File

@ -8,23 +8,23 @@ tags: ["aws", "integration"]
## When to use this feature
If your network is deployed on Amazon Web Services (with EC2 instances), and you'd like to run the Infection Monkey in order to test it, this page is for you. You can easily run the monkey on **various instances** within your network - in a secure fashion, **without** feeding the Island with any credentials or running shell commands on the machines you want to test.
If your network is deployed on Amazon Web Services (with EC2 instances) and you'd like to run the Infection Monkey to test it, this page is for you. You can easily run the Infection Monkey on various instances within your network in a secure fashion, without feeding it credentials or running shell commands on the machines you want to test.
The results will be exported to AWS security hub automatically, as well. To see more information about that, see the [Infection Monkey and AWS Security Hub documentation](https://github.com/guardicore/monkey/wiki/Infection-Monkey-and-AWS-Security-Hub).
The results will be exported to the AWS security hub automatically as well. To learn more about that topic, see the [Infection Monkey and AWS Security Hub documentation](https://github.com/guardicore/monkey/wiki/Infection-Monkey-and-AWS-Security-Hub).
![AWS EC2 logo](/images/usage/integrations/aws-ec2.svg?height=250px "AWS EC2 logo")
## Setup
Assuming your network is already set up in AWS EC2, follow these quick steps to get up and running.
Assuming your network is already set up in AWS EC2, follow the steps below to get up and running quickly.
### Monkey Island deployment
In order to run the Monkeys directly from the Monkey Island server, you need to deploy the Monkey Island server to an AWS EC2 instance in the same network which you want to test. For information about deploying the Monkey Island server, see [setup](../../../setup).
In order to run the Infection Monkey agents directly from the Monkey Island server, you need to deploy the Monkey Island server to an AWS EC2 instance in the same network which you want to test. For information about deploying the Monkey Island server, see [setup](../../../setup).
### Setup IAM roles
In order for the Island to successfully view your instances, you'll need to set appropriate IAM roles to your instances. You can read more about IAM roles [in Amazon's documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html), but it's not necessary in order to follow this setup.
In order for the Infection Monkey to successfully view your instances, you'll need to set appropriate IAM roles for your instances. You can read more about IAM roles [in Amazon's documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html), but it's not necessary in order to follow this setup.
#### Creating a custom IAM role
@ -34,7 +34,7 @@ Go to the [AWS IAM roles dashboard](https://console.aws.amazon.com/iam/home?#/ro
#### Applying the IAM role to an instance
For each instance you'd like to access from the island, apply the new IAM role you've just created to the instance. For example:
For each instance you'd like to access from the Monkey Island, apply the new IAM role you've just created to the instance. For example:
![Applying a custom IAM role](/images/usage/integrations/monkey-island-aws-screenshot-4.png "Applying a custom IAM role")
@ -42,39 +42,38 @@ After applying the IAM role you should see this screen:
![Applying a custom IAM role](/images/usage/integrations/monkey-island-aws-screenshot-5.png "Applying a custom IAM role")
**Note: after setting IAM roles, the roles might take a few minutes (up to 10 minutes sometimes) to effectively kick in.** This is how AWS works and is not related to the Monkey implementation. See [this StackOverflow thread for more details.](https://stackoverflow.com/questions/20156043/how-long-should-i-wait-after-applying-an-aws-iam-policy-before-it-is-valid)
**Note: after setting IAM roles, the roles might take a few minutes (up to 10 minutes sometimes) to effectively kick in.** This is how AWS works and is not related to the Infection Monkey implementation. See [this StackOverflow thread for more details.](https://stackoverflow.com/questions/20156043/how-long-should-i-wait-after-applying-an-aws-iam-policy-before-it-is-valid)
### Setup SSM agent
### Setup the SSM agent
If your EC2 instances don't have the _SSM agent_ installed, they will not be able to execute SSM commands, which means you won't see them in the AWS machines table on the monkey island. Generally speaking, most new EC2 instances ought to have SSM pre-installed; The SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later, and on Amazon Linux 2, Ubuntu Server 16.04, and Ubuntu Server 18.04 LTS AMIs.
If your EC2 instances don't have the _SSM agent_ installed, they will not be able to execute SSM commands, which means you won't see them in the AWS machines table on the Monkey Island. Generally speaking, most new EC2 instances should have SSM pre-installed. The SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later, on Amazon Linux 2, Ubuntu Server 16.04 and Ubuntu Server 18.04 LTS AMIs.
See [Amazon's documentation about working with SSM agents](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) for more details on how to check if you have an SSM agent and how to manually install one if you don't have one.
See [Amazon's documentation about working with SSM agents](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) for more details on how to check if you have an SSM agent and how to manually install one if you don't yet have it.
## Usage
### Running the monkey
### Running the Infection Monkey
When you run the monkey island on an AWS instance, the island detects it's running on AWS and present the following option in the _"Run Monkey"_ page, like so:
When you run the Monkey Island on an AWS instance, the island detects it's running on AWS and presents the following option on the _"Run Monkey"_ page:
![Running a Monkey on EC2 Instance](/images/usage/integrations/monkey-island-aws-screenshot-1.png "Running a Monkey on EC2 Instance")
And then you can choose one of the available instances as "patient zero" like so:
After you click on **Run on AWS machine of your choice** you can choose one of the available instances as "patient zero" by:
1. Click on "Run on AWS"
2. Choose the relevant Network Interface
3. Select the machines you'd like to run the Monkey on
4. Click "Run on Selected Machines", and watch the monkey go! 🐒
1. Choosing the relevant network interface
2. Selecting the machines you'd like to run the Infection Monkey on
3. Clicking **Run on Selected Machines** — now watch the Infection Monkey go! 🐒
![Running a Monkey on EC2 Instance](/images/usage/integrations/monkey-island-aws-screenshot-2.png "Running a Monkey on EC2 Instance")
## Notes
- The machines which can use IAM roles and be listed MUST be internet connected (or you can set up a proxy for IAM). This is standard AWS practice and you can read about it (and about how to set up the required proxy machines) in AWS IAM documentation.
- You can see the monkey in [the AWS marketplace](https://aws.amazon.com/marketplace/pp/B07B3J7K6D).
- The machines which can use IAM roles and be listed MUST be internet connected (or you can set up a proxy for IAM). This is standard AWS practice and you can read about it (and about how to set up the required proxy machines) in the AWS IAM documentation.
- You can view the Infection Monkey in [the AWS marketplace](https://aws.amazon.com/marketplace/pp/B07B3J7K6D).
### Appendix A: Specific policy permissions required
The IAM role will need to have, at least, the following specific permissions:
The IAM role will need to have, at minimum, the following specific permissions:
#### For executing the Monkey on other machines - SSM
@ -101,7 +100,7 @@ Here's the policy of the IAM role, as a JSON object:
}
```
#### For exporting security findings to the Security Hub - security hub
#### For exporting security findings to the AWS Security Hub - security hub
_Note: these can be set on the Monkey Island machine alone, since it's the only one exporting findings to the AWS secutiry hub._
@ -127,7 +126,7 @@ Here's the policy for SecurityHub, as a JSON object:
}
```
The JSON object for both of the policies combined therefore is:
The JSON object for both of the policies combined is:
```json
{

25
docs/content/usage/integrations/aws-security-hub.md
View File

@ -10,24 +10,31 @@ The Infection Monkey integration with the [AWS Security Hub](https://docs.aws.am
![AWS security hub logo](/images/usage/integrations/AWS-Security-Hub-logo.png "AWS security hub logo")
The integration will send _all_ Infection Monkey findings (typically low tens of findings) to the security hub at the end of a Monkey breach simulation.
The integration will send all Infection Monkey findings (typically 10 to 40) to the AWS Security Hub at the end of a breach simulation.
## Setup
If the correct permissions have been set on the AWS IAM role of the Monkey Island machine, then the Island will automatically export its findings to the AWS security hub.
If the correct AWS IAM role permissions have been set on the Monkey Island machine, it will automatically export its findings to the AWS Security Hub.
### Specific permissions required for security hub
### Specific permissions required for the AWS Security Hub
- `"securityhub:UpdateFindings"`
- `"securityhub:BatchImportFindings"`
Note that the integration is specifically between your Monkey Island and the security hub. The Infection Monkey is an free project and there is no centralised infrastructure.
Note that this integration is specifically between your Monkey Island and the AWS Security Hub. The Infection Monkey is a free project, and there is no centralized infrastructure.
### Enabling finding reception
Before starting the scan, make sure that the AWS Security Hub is accepting findings by enabling the Infection Monkey integration. Find **GuardiCore: AWS Infection Monkey** integration on the list and click on **Accept findings**.
![Enabled integration](/images/usage/integrations/security-hub-enable-accepting-findings.png "Enabled integration")
## Integration details
The Infection Monkey reports the following types of issues to the AWS security hub: `Software and Configuration Checks/Vulnerabilities/CVE`.
The Infection Monkey reports the following types of issues to the AWS Security Hub: `Software and Configuration Checks/Vulnerabilities/CVE`.
Specifically, the Island sends findings for all vulnerabilities it finds along with generic findings on the network (such as segmentation issues). Our normalized severity is 100, while most issues we report range between 1 and 10.
Specifically, the Infection Monkey sends findings for all vulnerabilities it finds along with generic findings on the network (such as segmentation issues). Our normalized severity is 100, while most issues we report range between 1 and 10.
## Regions
@ -35,9 +42,9 @@ The Infection Monkey is usable on all public AWS instances.
## Example
After setting up a monkey environment in AWS and attaching the correct IAM roles to the monkey island machine, the report findings were exported to the security hub.
After setting up the Infection Monkey in AWS and attaching the correct IAM roles to your Monkey Island machine, the report findings were exported to the AWS Security Hub.
1. Navigate to `Findings`.
2. Press on a specific finding to see more details and possible solutions.
2. Click on a specific finding to see more details and possible solutions.
![AWS Security hub console example](images/usage/integrations/security-hub-console-example.png "AWS Security hub console example")
![AWS Security hub console example](/images/usage/integrations/security-hub-console-example.png "AWS Security hub console example")

67
docs/content/usage/integrations/scoutsuite.md Normal file
View File

@ -0,0 +1,67 @@
---
title: "Scoutsuite"
date: 2021-03-02T16:23:06+02:00
draft: false
description: "Scout Suite is an open-source cloud security-auditing tool."
weight: 10
---
### About ScoutSuite
<a href="https://github.com/nccgroup/ScoutSuite" target="_blank" >Scout Suite</a> is an open-source cloud security-auditing tool.
It queries the cloud API to gather configuration data. Based on configuration
data gathered, ScoutSuite shows security issues and risks present in your infrastructure.
### Supported cloud providers
Currently, ScoutSuite integration only supports AWS environments.
### Enabling ScoutSuite
First, Infection Monkey needs access to your cloud API. You can provide access
in the following ways:
- Provide access keys:
- Create a new user with ReadOnlyAccess and SecurityAudit policies and generate keys
- Generate keys for your current user (faster but less secure)
- Configure AWS CLI:
- If the command-line interface is available on the Island, it will be used to access
the cloud API
More details about configuring ScoutSuite can be found in the tool itself, by choosing
"Cloud Security Scan" in the "Run Monkey" options.
![Cloud scan option in run page](/images/usage/integrations/scoutsuite_run_page.png
"Successful setup indicator")
After you're done with the setup, make sure that a checkmark appears next to the AWS option. This
verifies that ScoutSuite can access the API.
![Successfull setup indicator](/images/usage/integrations/scoutsuite_aws_configured.png
"Successful setup indicator")
### Running a cloud security scan
If you have successfully configured the cloud scan, Infection Monkey will scan
your cloud infrastructure when the Monkey Agent is run **on the Island**. You
can simply click on "From Island" in the run options to start the scan. The
scope of the network scan and other activities you may have configured the Agent
to perform are ignored by the ScoutSuite integration, except **Monkey
Configuration -> System info collectors -> AWS collector**, which needs to
remain **enabled**.
### Assessing scan results
After the scan is done, ScoutSuite results will be categorized according to the
ZeroTrust Extended framework and displayed as a part of the ZeroTrust report.
The main difference between Infection Monkey findings and ScoutSuite findings
is that ScoutSuite findings contain security rules. To see which rules were
checked, click on the "Rules" button next to the relevant test. You'll see a
list of rule dropdowns that are color coded according to their status. Expand a
rule to see its description, remediation and more details about resources
flagged. Each flagged resource has a path so you can easily locate it in the
cloud and remediate the issue.
![Open ScoutSuite rule](/images/usage/integrations/scoutsuite_report_rule.png
"Successful setup indicator")

35
docs/content/usage/reports/mitre.md
View File

@ -1,35 +0,0 @@
---
title: "MITRE ATT&CK report"
date: 2020-06-24T21:17:18+03:00
draft: false
---
{{% notice info %}}
Check out [the documentation for the other reports as well](../).
{{% /notice %}}
The Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base: It provides a new report with the utilized techniques and recommended mitigations, to help you simulate an APT attack on your network and mitigate real attack paths intelligently.
Watch an overview video:
{{% youtube 3tNrlutqazQ %}}
## How to use the report
The MITRE ATT&CK report is centred around the ATT&CK matrix:
![MITRE Report](/images/usage/reports/mitre-report-0.jpg "MITRE Report")
The Monkey rates your network on the attack techniques it attempted. For each technique, you can get
- {{< label danger Red >}}: The Monkey **successfully used** the technique in the simulation. That means your network is vulnerable to this technique being employed.
- {{< label warning Yellow >}}: The Monkey **tried to use** the technique, but didnt manage to. That means your network isnt vulnerable to the way Monkey employs this technique.
- {{< label other Grey >}}: The Monkey **didn't try** the technique this time. Perhaps it wasn't relevant to this network or wasn't configured.
Then, you can see exactly HOW the technique was used in this attack, and also what you should do to mitigate it, by clicking on the technique and seeing the details. For example, lets look at the [**Brute Force**](https://attack.mitre.org/techniques/T1110/) technique thats a part of employing the [**Credentials Access**](https://attack.mitre.org/tactics/TA0006/) tactic:
![MITRE Report Credentials Access technique](/images/usage/reports/mitre-report-cred-access.png "MITRE Report Credentials Access technique")
In this example, you can see how the Monkey was able to use one old `root` password to access all machines in the network. When scrolling to the bottom of this list, you can also see the mitigation recommended, including **Account Use Policies** and implementing **Multiple Factor Authentication**.
![MITRE Report Credentials Access technique](/images/usage/reports/mitre-report-cred-access-mitigations.png "MITRE Report Credentials Access technique")

97
docs/content/usage/reports/security.md
View File

@ -1,97 +0,0 @@
---
title: "Security report"
date: 2020-06-24T21:16:10+03:00
draft: false
---
{{% notice info %}}
Check out [the documentation for the other reports as well](../).
{{% /notice %}}
The Monkey's Security Report is built to provide you with actionable recommendations and insight to the Attacker's view of your network. You can download a PDF of this example report:
{{%attachments title="Download the PDF" pattern=".*(pdf)"/%}}
The report is split into 3 main categories: "Overview", "Recommendations" and "The network from the Monkey's eyes".
- [Overview](#overview)
- [High level information](#high-level-information)
- [Used Credentials](#used-credentials)
- [Exploits and targets](#exploits-and-targets)
- [Security Findings](#security-findings)
- [Recommendations](#recommendations)
- [Machine related recommendations relating to specific CVEs](#machine-related-recommendations-relating-to-specific-cves)
- [Machine related recommendations relating to network security and segmentation](#machine-related-recommendations-relating-to-network-security-and-segmentation)
- [The network from the Monkey's eyes](#the-network-from-the-monkeys-eyes)
- [Network infection map](#network-infection-map)
- [Scanned servers](#scanned-servers)
- [Exploits and post-breach actions](#exploits-and-post-breach-actions)
- [Stolen Credentials](#stolen-credentials)
## Overview
The overview section of the report provides high-level information about the Monkey execution and the main security findings that the Monkey has found.
### High level information
The report starts with information about the execution, including how long the simulation took and from which machine the infection started from.
![Overview](/images/usage/reports/sec_report_1_overview.png "Overview")
### Used Credentials
The report will show which credentials were used for brute-forcing.
![Used Credentials](/images/usage/reports/sec_report_2_users_passwords.png "Used Credentials")
### Exploits and targets
The report shows which exploits were attempted in this simulation and which targets the Monkey scanned and tried to exploit.
![Exploits and Targets](/images/usage/reports/sec_report_3_exploits_ips.png "Exploits and Targets")
### Security Findings
The report highlights the most important security threats and issues the Monkey discovered during the attack.
![Threats and issues](/images/usage/reports/sec_report_4_threats_and_issues.png "Threats and issues")
## Recommendations
This section contains the Monkey's recommendations for improving your security - what mitigations you need to implement.
### Machine related recommendations relating to specific CVEs
![Machine related recommendations](/images/usage/reports/sec_report_5_machine_related.png "Machine related recommendations")
### Machine related recommendations relating to network security and segmentation
![Machine related recommendations](/images/usage/reports/sec_report_6_machine_related_network.png "Machine related recommendations")
## The network from the Monkey's eyes
This section contains the Infection Map and some summary tables on servers the Monkey has found.
### Network infection map
This part shows the network map and a breakdown of how many machines were breached.
![Network map](/images/usage/reports/sec_report_7_network_map.png "Network map")
### Scanned servers
This part shows the attack surface the Monkey has found.
![Scanned servers](/images/usage/reports/sec_report_8_network_services.png "Scanned servers")
### Exploits and post-breach actions
This part shows which exploits and Post Breach Actions the Monkey has performed in this simulation.
![Exploits and PBAs](/images/usage/reports/sec_report_9_exploits_pbas.png "Exploits and PBAs")
### Stolen Credentials
This part shows which credentials the Monkey was able to steal from breached machines in this simulation.
![Stolen creds](/images/usage/reports/sec_report_10_stolen_credentials.png "Stolen creds")

46
docs/content/usage/reports/zero-trust.md
View File

@ -1,46 +0,0 @@
---
title: "Zero Trust report"
date: 2020-06-24T21:16:18+03:00
draft: false
---
{{% notice info %}}
Check out [the documentation for the other reports as well](../).
{{% /notice %}}
The Guardicore Infection Monkey runs different tests to evaluate your network adherence to key components of the Zero Trust framework as established by Forrester, such as whether you have applied segmentation, user identity, encryption and more. Then, the Monkey generates a status report with detailed explanations of security gaps and prescriptive instructions on how to rectify them.
## Summary
This diagram provides a quick glance at how your organization scores on each component of the Forresters Zero Trust model with **Failed**, **Verify**, **Passed** and **Unexecuted** verdicts.
- {{< label danger Failed >}} At least one of the tests related to this component failed. This means that the Infection Monkey detected an unmet Zero Trust requirement.
- {{< label warning Verify >}} At least one of the tests results related to this component requires further manual verification.
- {{< label success Passed >}} All Tests related to this pillar passed. No violation of a Zero Trust guiding principle was detected.
- {{< label other Unexecuted >}} This status means no tests were executed for this pillar.
![Zero Trust Report summary](/images/usage/reports/ztreport1.png "Zero Trust Report summary")
## Test Results
See how your network fared against each of the tests the Infection Monkey ran. The tests are ordered by Zero Trust components so you can quickly navigate to the components you care about first.
![Zero Trust Report test results](/images/usage/reports/ztreport2.png "Zero Trust Report test results")
## Findings
Deep-dive into the details of each test, and see the explicit events and exact timestamps in which things happened in your network. This will enable you to match up with your SOC logs and alerts and to gain deeper insight as to what exactly happened during each of the tests.
![Zero Trust Report Findings](/images/usage/reports/ztreport3.png "Zero Trust Report Findings")
## Events
The results are exportable. Click Export after clicking on Events to view them in a machine-readable format.
![Zero Trust Report events](/images/usage/reports/ztreport4.png "Zero Trust Report events")
## Overview Video
You can check out an overview video here:
{{% youtube z4FNu3WCd9o %}}

104
docs/content/usage/scenarios.md
View File

@ -1,104 +0,0 @@
---
title: "Scenarios"
date: 2020-05-26T21:01:19+03:00
draft: false
weight: 2
tags: ["usage"]
pre: "<i class='fas fa-map-marked-alt'></i> "
---
In this page we show how you can use the Infection Monkey to simulate breach and attack scenarios as well as to share some cool tips and tricks you can use to up your Infection Monkey game. This page is aimed at both novice and experienced Monkey users. You can also refer to [our FAQ](../../faq) for more specific questions and answers.
Here are a few scenarios that can be replicated in your own environment by executing the Monkey from different locations within the network, or with some tweaks to the Monkeys configuration.
{{% notice note %}}
No worries! The Monkey does not cause any permanent system modifications that impact security or operations. You will be able to track the Monkey using the log files it leaves in well defined locations. [See our FAQ for more details](../faq).
{{% /notice %}}
- [Your network has been breached via internet facing servers](#your-network-has-been-breached-via-internet-facing-servers)
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey)
- [You are the newest victim of a phishing fraud! 🎣](#you-are-the-newest-victim-of-a-phishing-fraud)
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-1)
- [You want to test your network segmentation](#you-want-to-test-your-network-segmentation)
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-2)
- [You want to verify your security solutions, procedures and teams are working as intended](#you-want-to-verify-your-security-solutions-procedures-and-teams-are-working-as-intended)
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-3)
- [Other useful tips](#other-useful-tips)
## Your network has been breached via internet facing servers
Whether it was the [Hex-men campaign](https://www.guardicore.com/2017/12/beware-the-hex-men/) that hit your Internet-facing DB server, a [cryptomining operation that attacked your WordPress site](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining-2/) or any other malicious campaign the attackers are now trying to go deeper into your network.
### Simulate this scenario using the Monkey
To simulate this breach scenario, execute the Infection Monkey on different machines that host internet-facing services such as your web servers (Apache, Tomcat, NGINX…) or your VPN servers. To see how to execute the Monkey on these servers, [refer to this FAQ question](../../faq#after-ive-set-up-monkey-island-how-can-i-execute-the-monkey).
{{% notice tip %}}
If you want to simulate a very “deep” attack into your network, see our [configuration documentation](../configuration).
{{% /notice %}}
After executing the Monkey, evaluate the results of this simulation using the information in the Report page. There you will find a summary of the most important things the simulation has discovered, a detailed report of all the Monkeys findings and more. You can also use the Infection Map to analyze the Monkeys progress through the network, and to see each Monkeys detailed telemetry and logs.
## You are the newest victim of a phishing fraud! 🎣
Almost everyone is prone to phishing attacks. Results of a successful phishing attempt can be **extremely costly** as demonstrated in our report [IResponse to IEncrypt](https://www.guardicore.com/2019/04/iresponse-to-iencrypt/).
This scenario begins in a section of the network which is a potential phishing spot. Phishing attacks target human users - as such, these types of attacks try to penetrate the network via a service an employee is using, such as an email with an attached malware or social media message with a link redirecting to a malicious website. These are just two examples of where and how an attacker may choose to launch their campaign.
### Simulate this scenario using the Monkey
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network from potentially problematic group of machines, such as the laptop of one of your heavy email users or one of your strong IT users (think of people who are more likely to correspond with people outside of your organization).
- After setting up the Island add the users **real** credentials (usernames and passwords) to the Monkeys configuration (Dont worry, this sensitive data is not accessible and is not distributed or used in any way other than being sent to the monkeys, and can be easily eliminated by resetting the Monkey Islands configuration). Now you can simulate an attacker attempting to probe deeper in the network with credentials “successfully” phished.
- You can configure these credentials for the Monkey as follows:
From the **“Basic - Credentials”** tab of the Islands configuration, under the **“Exploit password list”** press the + button and add the passwords you would like the Monkey to use. Do the same with usernames in the **“Exploit user list”**.
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
After supplying the Monkey with the passwords and usernames, execute the Monkey from the simulated “victim” machines. To do this, click “**2. Run Monkey**” from the left sidebar menu and choose “**Run on machine of your choice**”.
## You want to test your network segmentation
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually, typically using policies. A useful way to test the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your Development is separated from your Production, your applications are separated from one another etc. "to security test is to verify that your network segmentation is configured properly. This way you make sure that even if a certain attacker has breached your defenses, it cant move laterally from point A to point B.
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with its cross-segment traffic testing feature.
### Simulate this scenario using the Monkey
As an example, the following configuration makes sure machines in the “10.0.0.0/24” segment (segment A) and the “11.0.0.2/32” segment (segment B) cant communicate with each other, along with an additional machine in 13.37.41.50.
![How to configure network segmentation testing](/images/usage/scenarios/segmentation-config.png "How to configure network segmentation testing")
## You want to verify your security solutions, procedures and teams are working as intended
The Infection Monkey can help you verify that your security solutions are working the way you expected them to. These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
### Simulate this scenario using the Monkey
Run the Monkey with whichever configuration you prefer. The default is good enough for many cases; but for example, you can add some old users and passwords. Running the Monkey on both the Island and on a few other machines in the network is also recommended, as it increases coverage and propagation rates.
After running the Monkey, follow the Monkeys actions on the Monkey Islands infection map.
Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security solutions are identifying and correctly alerting on different attacks.
- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities. If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network? Check if your micro-segmentation / firewall solution identify or report anything.
While running this scenario, be on the lookout for the action that should arise: Did you get a phone call telling you about suspicious activity inside your network? Are events flowing into your security events aggregators? Are you getting emails from your IR teams? Is the endpoint protection software you installed on machines in the network reporting on anything? Are your compliance scanners detecting anything wrong?
## Other useful tips
Here are a few tips which can help you push the Infection Monkey even further:
- Make sure the Monkey is configured to scan its local network but in addition, configure it with specific targets. To add these targets, add their IP addresses (or the IP ranges in which they reside) to the Scan IP/subnet list using the `+` button. Heres an example of how this is achieved:
![How to configure Scan IP/subnet list](/images/usage/scenarios/scan-list-config.png "How to configure Scan IP/subnet list")
- Every network has its old “skeleton keys” that should have long been discarded. Configure the Monkey with old and stale passwords, but make sure that they were really discarded using the Monkey. To add the old passwords, in the islands configuration, go to the “Exploit password list” under “Basic - Credentials” and use the “+” button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration:
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
- To see the Monkey executing in real-time on your servers, add the **post-breach action** command: `wall “Infection Monkey was here”`. This post breach command will broadcast a message across all open terminals on the servers the Monkey breached, to achieve the following: Let you know the Monkey ran successfully on the server. let you follow the breach “live” alongside the infection map, and check which terminals are logged and monitored inside your network. See below:
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")

20
docs/content/usage/use-cases/_index.md Normal file
View File

@ -0,0 +1,20 @@
+++
title = "Use Cases"
date = 2020-08-12T12:52:59+03:00
weight = 3
chapter = true
pre = "<i class='fas fa-map-marked-alt'></i> "
+++
# Use cases
This section describes possible use cases for the Infection Monkey and how you can configure the tool.
You can also refer to [our FAQ](../../faq) for more specific questions and answers.
{{% notice note %}}
Don't worry! The Infection Monkey uses safe exploiters and does not cause any permanent system modifications that could impact security or operations.
{{% /notice %}}
## Section contents
{{% children description=True style="p"%}}

29
docs/content/usage/use-cases/attack.md Normal file
View File

@ -0,0 +1,29 @@
---
title: "MITRE ATT&CK assessment"
date: 2020-10-22T16:58:22+03:00
draft: false
description: "Assess your network security detection and prevention capabilities."
weight: 2
---
## Overview
The Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network. Use it to assess your security solutions' detection and prevention capabilities. The Infection Monkey will help you find which ATT&CK techniques go unnoticed and provide specific details along with suggested mitigations.
## Configuration
- **ATT&CK matrix** You can use the ATT&CK configuration section to select which techniques you want the Infection Monkey to simulate.
For the full simulation, use the default settings.
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times.
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”.
![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
## Suggested run mode
Run the Infection Monkey on as many machines as you can. You can easily achieve this by selecting the “Manual” run option and executing the command shown on different machines in your environment manually or with your deployment tool. Additionally, you can use any other run options you see fit.
## Assessing results
The **ATT&CK Report** shows the status of simulations using ATT&CK techniques. Click on a technique to see more details about it and potential mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the official documentation of the specific ATT&CK technique used, where you can learn more about it.

35
docs/content/usage/use-cases/credential-leak.md Normal file
View File

@ -0,0 +1,35 @@
---
title: "Credentials Leak"
date: 2020-08-12T13:04:25+03:00
draft: false
description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
weight: 5
---
## Overview
Numerous attack techniques (from phishing to dumpster diving) might result in a credential leak,
which can be **extremely costly** as demonstrated in our report [IResponse to IEncrypt](https://www.guardicore.com/2019/04/iresponse-to-iencrypt/).
The Infection Monkey can help you assess the impact of stolen credentials by automatically searching
where bad actors can reuse these credentials in your network.
## Configuration
- **Exploits -> Credentials** After setting up the Monkey Island, add your users' **real** credentials
(usernames and passwords) here. Don't worry; this sensitive data is not accessible, distributed or used in any way other than being sent to the Infection Monkey agents. You can easily eliminate it by resetting the configuration of your Monkey Island.
- **Internal -> Exploits -> SSH keypair list** When enabled, the Infection Monkey automatically gathers SSH keys on the current system.
For this to work, the Monkey Island or initial agent needs to access SSH key files.
To make sure SSH keys were gathered successfully, refresh the page and check this configuration value after you run the Infection Monkey
(content of keys will not be displayed, it will appear as `<Object>`).
## Suggested run mode
Execute the Infection Monkey on a chosen machine in your network using the “Manual” run option.
Run the Infection Monkey as a privileged user to make sure it gathers as many credentials from the system as possible.
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
## Assessing results
To assess the impact of leaked credentials see the Security report. Examine **Security report -> Stolen credentials** to confirm.

47
docs/content/usage/use-cases/network-breach.md Normal file
View File

@ -0,0 +1,47 @@
---
title: "Network Breach"
date: 2020-08-12T13:04:55+03:00
draft: false
description: "Simulate an internal network breach and assess the potential impact."
weight: 3
---
## Overview
From the [Hex-Men campaign](https://www.guardicore.com/2017/12/beware-the-hex-men/) that hit
internet-facing DB servers to a [cryptomining operation that attacks WordPress sites](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining-2/) or any other malicious campaign attackers are now trying to go deeper into your network.
Infection Monkey will help you assess the impact of a future breach by attempting to propagate within your internal network using service vulnerabilities, brute-forcing and other safe exploiters.
## Configuration
- **Exploits -> Exploits** Here you can review the exploits the Infection Monkey will be using. By default all
safe exploiters are selected.
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times.
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select **Local network scan**
and allow Monkey to propagate until maximum **Scan depth**(hop count) is reached, or you can fine tune it by providing
specific network ranges in **Scan target list**. Scanning a local network is more realistic, but providing specific
targets will make the scanning process substantially faster.
- **(Optional) Internal -> Network -> TCP scanner** Here you can add custom ports your organization is using.
- **(Optional) Monkey -> Post-Breach Actions** If you only want to test propagation in the network, you can turn off
all post-breach actions. These actions simulate an attacker's behavior after getting access to a new system but in no
way helps the Infection Monkey exploit new machines.
![Exploiter selector](/images/usage/use-cases/network-breach.PNG "Exploiter selector")
## Suggested run mode
Decide which machines you want to simulate a breach on and use the “Manual” run option to start the Infection Monkey on them.
Use administrative privileges to run the Infection Monkey to simulate an attacker that was able to elevate their privileges.
You could also simulate an attack initiated from an unidentified machine connected to the network (e.g., a technician
laptop or third-party vendor machine) by running the Infection Monkey on a dedicated machine with an IP in the network you
wish to test.
## Assessing results
Check the infection map and Security report to see how far The Infection Monkey managed to propagate in your network and which
vulnerabilities it successfully exploited. If you left post-breach actions selected, you should also check the MITRE ATT&CK and
Zero Trust reports for more details.
![Map](/images/usage/use-cases/map-full-cropped.png "Map")

40
docs/content/usage/use-cases/network-segmentation.md Normal file
View File

@ -0,0 +1,40 @@
---
title: "Network Segmentation"
date: 2020-08-12T13:05:05+03:00
draft: false
description: "Verify your network is properly segmented."
weight: 4
---
## Overview
Segmentation is a method of creating secure zones in data centers and cloud deployments. It allows organizations to isolate workloads from one another and secure them individually, typically using policies. A useful way to test your company's segmentation effectiveness is to ensure that your network segments are properly separated (e.g., your development environment is isolated from your production environment and your applications are isolated from one another).
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network. It can reduce the network's attack surface and minimize the damage caused during a breach.
You can use the Infection Monkey's cross-segment traffic feature to verify that your network segmentation configuration is adequate. This way, you can ensure that, even if a bad actor breaches your defenses, they can't move laterally between segments.
## Configuration
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
subnets that should be segregated from each other. If any of the provided networks can reach each other, you'll see it
in the security report.
- **(Optional) Network -> Scope** You can disable **Local network scan** and leave all other options at the default setting if you only want to test for network segmentation without any lateral movement.
- **(Optional) Monkey -> Post-Breach Actions** If you only want to test segmentation in the network, you can turn off all post-breach actions. These actions simulate an attacker's behavior after getting access to a new system, so they might trigger your defense solutions and interrupt the segmentation test.
## Suggested run mode
Execute The Infection Monkey on machines in different subnetworks using the “Manual” run option.
Note that if the Infection Monkey can't communicate to the Monkey Island, it will
not be able to send scan results, so make sure all machines can reach the the Monkey Island.
![How to configure network segmentation testing](/images/usage/scenarios/segmentation-config.png "How to configure network segmentation testing")
## Assessing results
Check the infection map and security report for segmentation problems. Ideally, all scanned nodes should only have edges with the Monkey Island Server.
![Map](/images/usage/use-cases/segmentation-map.PNG "Map")

54
docs/content/usage/use-cases/other.md Normal file
View File

@ -0,0 +1,54 @@
---
title: "Other"
date: 2020-08-12T13:07:55+03:00
draft: false
description: "Tips and tricks about configuring Monkeys for your needs."
weight: 100
---
## Overview
This page provides additional information about configuring the Infection Monkey, tips and tricks and creative usage scenarios.
## Custom behaviour
If you want the Infection Monkey to run a specific script or tool after it breaches a machine, you can configure it in
**Configuration -> Monkey -> Post-breach**. Input commands you want to execute in the corresponding fields.
You can also upload files and call them through the commands you entered.
## Accelerate the test
To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
The following configuration values also have an impact on scanning speed:
- **Credentials** - The more usernames and passwords you input, the longer it will take the Infection Monkey to scan machines that have
remote access services. The Infection Monkey agents try to stay elusive and leave a low impact, and thus brute-forcing takes longer than with loud conventional tools.
- **Network scope** - Scanning large networks with a lot of propagations can become unwieldy. Instead, try to scan your
networks bit by bit with multiple runs.
- **Post-breach actions** - If you only care about propagation, you can disable most of these.
- **Internal -> TCP scanner** - Here you can trim down the list of ports the Infection Monkey tries to scan, improving performance.
## Combining different scenarios
The Infection Monkey is not limited to the scenarios mentioned in this section. Once you get the hang of configuring it, you might come up with your own use case or test all of the suggested scenarios at the same time! Whatever you do, the Infection Monkey's Security, ATT&CK and Zero Trust reports will be waiting for you with your results!
## Persistent scanning
Use **Monkey -> Persistent** scanning configuration section to either run periodic scans or increase the reliability of exploitations by running consecutive scans with the Infection Monkey.
## Credentials
Every network has its old "skeleton keys" that it should have long discarded. Configuring the Infection Monkey with old and stale passwords will enable you to ensure they were really discarded.
To add the old passwords, go to the Monkey Island's **Exploit password list** under **Basic - Credentials** and use the "+" button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration:
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
## Check logged and monitored terminals
To see the Infection Monkey executing in real-time on your servers, add the **post-breach action** command:
`wall “Infection Monkey was here”`. This post-breach command will broadcast a message across all open terminals on the servers the Infection Monkey breached to achieve the following:
- Let you know the Monkey ran successfully on the server.
- Let you follow the breach “live” alongside the infection map.
- Check which terminals are logged and monitored inside your network.
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")

34
docs/content/usage/use-cases/zero-trust.md Normal file
View File

@ -0,0 +1,34 @@
---
title: "Zero Trust assessment"
date: 2020-10-22T16:58:09+03:00
draft: false
description: "See where you stand in your Zero Trust journey."
weight: 1
---
## Overview
Want to assess your progress in achieving a Zero Trust network? The Infection Monkey can automatically evaluate your readiness across the different
[Zero Trust Extended Framework](https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210) principles.
You can additionally scan your cloud infrastructure's compliance to ZeroTrust principles using [ScoutSuite integration.](/usage/integrations/scoutsuite)
## Configuration
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times.
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list.”
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
subnets that should be segregated from each other.
In general, other configuration value defaults should be good enough, but feel free to see the “Other” section for tips and tricks about more features and in-depth configuration parameters you can use.
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
## Suggested run mode
Run the Infection Monkey on as many machines as you can. You can easily achieve this by selecting the “Manual” run option and executing the command shown on different machines in your environment manually or with your deployment tool. Additionally, you can use any other run options you see fit.
## Assessing results
You can see your results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust pillars were the Infection Monkey tested, how many tests were performed and test statuses. Specific tests are described in the “Test Results” section. The “Findings” section shows details about the Monkey actions. Click on “Events” of different findings to observe what exactly the Infection Monkey did and when it did it. This should make it easy to cross reference events with your security solutions and alerts/logs.

13
docs/layouts/shortcodes/homepage_shortcuts.html
View File

@ -59,21 +59,28 @@
<section id="homepage-shortcuts">
<div class="container">
<div class="row justify-content-center">
<div class="col-lg-4 col-sm-6 mb-3">
<div class="col-lg-3 col-sm-6 mb-3">
<a href="setup/" class="px-4 py-5 bg-white shadow text-center d-block">
<i class="fas fa-cogs d-block mb-4" style="font-size: x-large;"></i>
<h4 class="mb-3 mt-0">Setup</h4>
<p class="mb-0">See how to install the Infection Monkey.</p>
</a>
</div>
<div class="col-lg-4 col-sm-6 mb-3">
<div class="col-lg-3 col-sm-6 mb-3">
<a href="usage/getting-started/" class="px-4 py-5 bg-white shadow text-center d-block">
<i class="fas fa-play-circle d-block mb-4" style="font-size: x-large;"></i>
<h4 class="mb-3 mt-0">Getting Started</h4>
<p class="mb-0">Set the Monkey wild in your datacenter.</p>
</a>
</div>
<div class="col-lg-4 col-sm-6 mb-3">
<div class="col-lg-3 col-sm-6 mb-3">
<a href="usage/use-cases" class="px-4 py-5 bg-white shadow text-center d-block">
<i class="fas fa-map-marked-alt d-block mb-4" style="font-size: x-large;"></i>
<h4 class="mb-3 mt-0">Use Cases</h4>
<p class="mb-0">Learn about use cases of the Infection Monkey.</p>
</a>
</div>
<div class="col-lg-3 col-sm-6 mb-3">
<a href="faq/" class="px-4 py-5 bg-white shadow text-center d-block">
<i class="fas fa-question d-block mb-4" style="font-size: x-large;"></i>
<h4 class="mb-3 mt-0">FAQs</h4>

3
docs/static/css/labels.css vendored
View File

@ -9,4 +9,5 @@
.info {background-color: #2196F3;} /* Blue */
.warning {background-color: #ff9800;} /* Orange */
.danger {background-color: #f44336;} /* Red */
.other {background-color: #e7e7e7; color: black;} /* Gray */
.unused {background-color: #8d8d8d;} /* Dark Gray */
.disabled {background-color: #cfcfcf; color: black;} /* Light Gray */

0
docs/static/images/usage/configruation/credentials.png → docs/static/images/usage/configuration/credentials.png vendored
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

BIN
docs/static/images/usage/integrations/monkey-island-aws-screenshot-1.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 72 KiB

BIN
docs/static/images/usage/integrations/monkey-island-aws-screenshot-2.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 97 KiB

BIN
docs/static/images/usage/integrations/scoutsuite_aws_configured.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
docs/static/images/usage/integrations/scoutsuite_report_rule.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
docs/static/images/usage/integrations/scoutsuite_run_page.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
docs/static/images/usage/integrations/security-hub-enable-accepting-findings.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
docs/static/images/usage/reports/mitre-report-0.jpg vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 172 KiB

BIN
docs/static/images/usage/reports/mitre-report-0.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 158 KiB

BIN
docs/static/images/usage/scenarios/attack-matrix.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 158 KiB

BIN
docs/static/images/usage/use-cases/ids-test.PNG vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
docs/static/images/usage/use-cases/map-full-cropped.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.5 MiB

BIN
docs/static/images/usage/use-cases/network-breach.PNG vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
docs/static/images/usage/use-cases/segmentation-map.PNG vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

2
docs/themes/learn vendored

@ -1 +1 @@
Subproject commit e010f0287ae724c7c072b23e6075f4b123e99b7c
Subproject commit 045d78bc98540c9b96518df73c05fdb9d16507ba

4
envs/monkey_zoo/blackbox/README.md
View File

@ -19,10 +19,10 @@ instead will just test performance of endpoints in already present island state.
Example run command:
`monkey\envs\monkey_zoo\blackbox>python -m pytest -s --island=35.207.152.72:5000 test_blackbox.py`
`monkey\monkey>python -m pytest -s --island=35.207.152.72:5000 ..\envs\monkey_zoo\blackbox\test_blackbox.py`
#### Running in PyCharm
Configure a PyTest configuration with the additional arguments `-s --island=35.207.152.72`, and to run from
Configure a PyTest configuration with the additional arguments `-s --island=35.207.152.72:5000`, and to run from
directory `monkey\envs\monkey_zoo\blackbox`.
### Running telemetry performance test

2
envs/monkey_zoo/blackbox/analyzers/analyzer.py
View File

@ -4,5 +4,5 @@ from abc import ABCMeta, abstractmethod
class Analyzer(object, metaclass=ABCMeta):
@abstractmethod
def analyze_test_results(self):
def analyze_test_results(self) -> bool:
raise NotImplementedError()

3
envs/monkey_zoo/blackbox/analyzers/performance_analyzer.py
View File

@ -3,8 +3,7 @@ from datetime import timedelta
from typing import Dict
from envs.monkey_zoo.blackbox.analyzers.analyzer import Analyzer
from envs.monkey_zoo.blackbox.tests.performance.performance_test_config import \
PerformanceTestConfig
from envs.monkey_zoo.blackbox.tests.performance.performance_test_config import PerformanceTestConfig
LOGGER = logging.getLogger(__name__)

70
envs/monkey_zoo/blackbox/analyzers/zerologon_analyzer.py Normal file
View File

@ -0,0 +1,70 @@
from typing import List
from pprint import pformat
import dpath.util
from common.config_value_paths import USER_LIST_PATH, PASSWORD_LIST_PATH, NTLM_HASH_LIST_PATH, LM_HASH_LIST_PATH
from envs.monkey_zoo.blackbox.analyzers.analyzer import Analyzer
from envs.monkey_zoo.blackbox.analyzers.analyzer_log import AnalyzerLog
from envs.monkey_zoo.blackbox.island_client.monkey_island_client import MonkeyIslandClient
# Query for telemetry collection to see if password restoration was successful
TELEM_QUERY = {'telem_category': 'exploit',
'data.exploiter': 'ZerologonExploiter',
'data.info.password_restored': True}
class ZerologonAnalyzer(Analyzer):
def __init__(self, island_client: MonkeyIslandClient, expected_credentials: List[str]):
self.island_client = island_client
self.expected_credentials = expected_credentials
self.log = AnalyzerLog(self.__class__.__name__)
def analyze_test_results(self):
self.log.clear()
is_creds_gathered = self._analyze_credential_gathering()
is_creds_restored = self._analyze_credential_restore()
return is_creds_gathered and is_creds_restored
def _analyze_credential_gathering(self) -> bool:
config = self.island_client.get_config()
credentials_on_island = ZerologonAnalyzer._get_relevant_credentials(config)
return self._is_all_credentials_in_list(credentials_on_island)
@staticmethod
def _get_relevant_credentials(config: dict):
credentials_on_island = []
credentials_on_island.extend(dpath.util.get(config['configuration'], USER_LIST_PATH))
credentials_on_island.extend(dpath.util.get(config['configuration'], NTLM_HASH_LIST_PATH))
credentials_on_island.extend(dpath.util.get(config['configuration'], LM_HASH_LIST_PATH))
return credentials_on_island
def _is_all_credentials_in_list(self,
all_creds: List[str]) -> bool:
credentials_missing = [cred for cred in self.expected_credentials if cred not in all_creds]
self._log_creds_not_gathered(credentials_missing)
return not credentials_missing
def _log_creds_not_gathered(self, missing_creds: List[str]):
if not missing_creds:
self.log.add_entry("Zerologon exploiter gathered all credentials expected.")
else:
for cred in missing_creds:
self.log.add_entry(f"Credential Zerologon exploiter failed to gathered:{cred}.")
def _analyze_credential_restore(self) -> bool:
cred_restore_telems = self.island_client.find_telems_in_db(TELEM_QUERY)
self._log_credential_restore(cred_restore_telems)
return bool(cred_restore_telems)
def _log_credential_restore(self, telem_list: List[dict]):
if telem_list:
self.log.add_entry("Zerologon exploiter telemetry contains indicators that credentials "
"were successfully restored.")
else:
self.log.add_entry("Credential restore failed or credential restore "
"telemetry not found on the Monkey Island.")
self.log.add_entry(f"Query for credential restore telem: {pformat(TELEM_QUERY)}")

0
monkey/monkey_island/cc/resources/reporting/__init__.py → envs/monkey_zoo/blackbox/config_templates/__init__.py
View File

14
envs/monkey_zoo/blackbox/config_templates/base_template.py Normal file
View File

@ -0,0 +1,14 @@
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
# Disables a lot of config values not required for a specific feature test
class BaseTemplate(ConfigTemplate):
config_values = {
"basic.exploiters.exploiter_classes": [],
"basic_network.scope.local_network_scan": False,
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger"],
"internal.monkey.system_info.system_info_collector_classes":
["EnvironmentCollector", "HostnameCollector"],
"monkey.post_breach.post_breach_actions": []
}

9
envs/monkey_zoo/blackbox/config_templates/config_template.py Normal file
View File

@ -0,0 +1,9 @@
from abc import ABC, abstractmethod
class ConfigTemplate(ABC):
@property
@abstractmethod
def config_values(self) -> dict:
pass

14
envs/monkey_zoo/blackbox/config_templates/drupal.py Normal file
View File

@ -0,0 +1,14 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Drupal(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update({
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger"],
"basic.exploiters.exploiter_classes": ["DrupalExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.28"]
})

15
envs/monkey_zoo/blackbox/config_templates/elastic.py Normal file
View File

@ -0,0 +1,15 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Elastic(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update({
"basic.exploiters.exploiter_classes": ["ElasticGroovyExploiter"],
"internal.classes.finger_classes": ["PingScanner", "HTTPFinger", "ElasticFinger"],
"basic_network.scope.subnet_scan_list": ["10.2.2.4", "10.2.2.5"]
})

14
envs/monkey_zoo/blackbox/config_templates/hadoop.py Normal file
View File

@ -0,0 +1,14 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Hadoop(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update({
"basic.exploiters.exploiter_classes": ["HadoopExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.2", "10.2.2.3"]
})

Some files were not shown because too many files have changed in this diff Show More