Adding post-breach actions

This guide will show you how to create a new post-breach action (PBA) for the Infection Monkey. PBA are "extra" actions that the Infection Monkey can perform on victim machines after propagating to them.

The need for a new PBA

If all you want to do is execute shell commands, then there's no need to add a new PBA - just configure the required commands in the Monkey Island configuration! If you think that those specific commands have reuse value in other deployments besides your own, you can add a new PBA. Additionally, if you need to run actual Python code, you must add a new PBA.

How to add a new PBA

Modify the Infection Monkey Agent


  1. Create your new action in the following directory: monkey/infection_monkey/post_breach/actions by first creating a new file with the name of your action.
  2. In that file, create a class that inherits from the PBA class:
from infection_monkey.post_breach.pba import PBA

class MyNewPba(PBA):
  1. Set the action name in the constructor, like so:
class MyNewPba(PBA):
    def __init__(self):
        super(MyNewPba, self).__init__(name="MyNewPba")


If your PBA consists only of simple shell commands, you can reuse the generic PBA by passing the commands into the constructor. See the PBA for reference.

Otherwise, you'll need to override the run method with your own implementation. See the PBA for reference. Make sure to send the relevant PostBreachTelem upon success/failure. You can log during the PBA as well.

Modify the Monkey Island


You'll need to add your PBA to the file, under post_breach_acts, like so:

"post_breach_acts": {
            "title": "Post breach actions",
            "type": "string",
            "anyOf": [
                # ...
                    "type": "string",
                    "enum": [
                    "title": "My new PBA",
                    "attack_techniques": []

Now you can choose your PBA when configuring the Infection Monkey on the Monkey island:

Telemetry processing

If you wish to process your PBA telemetry (for example, to analyze it for report data), add a processing function to the POST_BREACH_TELEMETRY_PROCESSING_FUNCS, which can be found at monkey/monkey_island/cc/services/telemetry/processing/ You can reference the process_communicate_as_backdoor_user_telemetry method as an example.