Highlights
Objective
In Infection Monkey v2.2.0, a long-standing objective has been achieved: Windows users can now install the Infection Monkey Island without encountering warnings or errors from their antivirus solutions*. Additionally, the Infection Monkey Agents may also go undetected in some circumstances. Since Infection Monkey Agents behave similarly to malware, it is expected that host-based antivirus or EDR solutions may be triggered by certain behaviors.
New Features
-
Polymorphic and metamorphic malware modify each copy of themselves in order to evade signature-based detection mechanisms. This results in each copy of the malware having a unique hash. A new feature has been added that, if enabled, allows Infection Monkey Agents to emulate this property by including unique data within the each copy of the Agent binary.
-
A common way of detecting and identifying an executable as malware is to write a detection rule (such as for a tool like YARA) that checks for the existence of strings or unique byte sequences within a file. The newly-added Malware Masquerade feature allows users to specify strings (characters) or arbitrary data (bytes) that will be injected into the Agent binaries. This allows Infection Monkey Agents to masquerade as specific types of malware. This is particularly useful for anyone who writes their own detection rules and needs a way to test them, or anyone looking to improve the fidelity of malware simulations.
Improvements
-
Credentials collectors can now be written as plugins** loaded by Infection Monkey at runtime. This flexibility will allow for the development and delivery of more credentials collection/theft techniques in the near future. . Furthermore, enhancements to the SSH credentials collector make it more adept at collecting SSH keys to be used for propagation.
-
Several bugs have been fixed, including a critical issue that caused agents spawned by the SMB exploiter to crash.
Footnotes
* Infection Monkey has been tested with various common antivirus/EDR solutions. While some solutions may still raise errors, our testing has not identified any specific issues.
** Please note that plugin interfaces are still considered experimental. They will be documented and made available to users in a future release.
Changelog
Added
PortScanData.openproperty. #3238{GET,PUT} /api/agent-binaries/<string:os>/masque. #3249- Placeholder values for empty plugin configuration fields having defaults. #3310
- Malware masquerading. #3241, #3242, #3243
- Support for plugin manifest files with the "yml" extension. #3097
- Randomize Agent binary hash (polymorphism) feature. #3244
- Agent binary's SHA256 to
AgentRegistrationData. #3244 EmailAddressidentity type. #3270- SNMP exploiter (CVE-2020-15862). #3234
- A plugin interface for credentials collectors. #3167
Changed
- Renamed "Credential collector" to "Credentials collector". #3167
- Hard-coded WMI exploiter to a plugin. #3163
- Hard-coded Mimikatz credentials collector to a plugin. #3168
- Hard-coded Zerologon exploiter to a plugin. #3164
- Hard-coded SSH credentials collector to a plugin. #3169
- SSH credentials collector's private-key search algorithm. #1882
- Manual run command includes all Island IP addresses. #2593
- Hard-coded MSSQL exploiter to a plugin. #3171
- Hard-coded PowerShell exploiter to a plugin. #3165
Fixed
- Plugins are now being checked for local OS compatibility. #3275
- A bug that could prevent multi-hop propagation via SMB. #3173
- Exceptions being raised when WMI and Zerologon are used together. #1774
- A bug that caused failing configuration imports to be marked as successful. #3341
- A bug where target hostnames with dashes were not being scanned. #3231
- A bug in URL sanitization. #3318