Some days ago, Infection Monkey 1.6.3 was released. The first post about this tool can be found in a post titled the List of Adversary Emulation Tools. This is a small bugfix release, mostly around integration and packaging. It contains two user facing changes as well.

What is Infection Monkey?
The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would – starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.
What’s new in Infection Monkey?
- AWS access keys needed for different features like AWS security hub integration and remote commands on EC2 instances are not requested by the tool. Infection Monkey requires IAM role to be applied to the EC2 instance where it is running. For more details, check here & here.
- The Monkey Island now checks for updates against a centralized server. At startup, a single message containing the current version is sent to a dedicated machine, and returns whether there is a new version available and a download link in case there is one.
- The Island may now also run as a single PyInstaller packed executable, solving some deployment issues on Windows.
- Feature – Version checking #309
- Feature – AWS integration through IAM roles #281
- Bugfix – Deb does not rely on package manager mongo #301
- Bugfix – ElasticGroovy exploitation now gracefully timeouts in case of errors #289
- Bugfix – Struts2 attack script does not check for certificate errors #318
- Bugfix – Domain related recommendations do not show up if no such recommendations exist. #278 and #304 fixes #213
- Bugfix – Update Bootstrap to 3.4.1 #311
Download Infection Monkey 1.6.3:
Check out the Infection Monkey 1.6.3 repository from here.