Skip to content

cyb3rfox/ghost

BranchesTags

Repository files navigation

GHOST Framework Documentation

Genuine Host Operations Security Tester

"Zero Footprint. Maximum Impact."

Overview

GHOST provides a controlled, repeatable method for testing EDR (Endpoint Detection and Response) solutions using multiple remote execution methods. Version 2.0 adds orchestration capabilities for multi-target testing, pivoting support, and multiple execution methods including WMI, PowerShell Remoting, and WinRS - all while leaving zero framework footprint on target systems.

Components

Core Scripts

  1. ghost-v2.ps1 - Enhanced multi-method execution engine
  2. Invoke-GHOSTOrchestrator.ps1 - Multi-target orchestration controller
  3. Start-GHOST.ps1 - Interactive setup and execution wrapper
  4. run-ghost.ps1 - Helper script with user-friendly interface
  5. run-ghost.bat - Batch wrapper for CMD environments

Command Files

  1. ghost-commands.txt - Standard test suite with comprehensive coverage
  2. ghost-advanced.txt - Advanced patterns for sophisticated EDR testing
  3. ghost-minimal.txt - Quick validation suite for basic testing
  4. ghost-filetransfer.txt - File upload/download and data exfiltration tests
  5. ghost-filetransfer-advanced.txt - Advanced exfiltration and DLP bypass patterns
  6. ghost-pivoting.txt - Pivot discovery and lateral movement patterns

Helper Scripts

  • New-GHOSTTestFiles.ps1 - Generates test files for upload testing
  • GHOST-FileTransfer-Examples.ps1 - Usage examples for file transfer features

🚀 Version 2.0 Features

Multi-Target Orchestration

  • Test multiple systems in parallel or sequentially
  • Group-based target organization
  • Automatic pivot discovery and testing
  • HTML reporting with visual dashboards

Multiple Execution Methods

  • WMI: Traditional Windows Management Instrumentation
  • PowerShell Remoting: Modern PowerShell-based remote execution
  • WinRS: Windows Remote Shell for legacy environments
  • Auto: Automatic detection of best available method

Pivoting Support

  • Automatic discovery of lateral movement targets
  • Chain pivoting simulation (A → B → C)
  • Credential reuse patterns
  • Network path discovery

Usage

Quick Start (Interactive)

# Interactive setup and execution
.\Start-GHOST.ps1 -Interactive

# This provides a menu-driven interface for:
# - Creating target configurations
# - Running orchestrated tests
# - Viewing reports
# - Cleaning up artifacts

Orchestrated Multi-Target Testing

# 1. Create configuration file (interactive)
.\Start-GHOST.ps1 -Mode Setup

# 2. Or use the sample configuration
Copy-Item targets-sample.json targets.json
# Edit targets.json with your targets and credentials

# 3. Run orchestrated tests
.\Invoke-GHOSTOrchestrator.ps1 -ConfigFile targets.json -EnablePivoting -Parallel

# 4. View HTML report (auto-generated)
Start-Process edr-test-report-*.html

Single Target Testing (Multiple Methods)

# Auto-detect best method
.\ghost-v2.ps1 -TargetComputer SERVER01 -CommandFile edr-test-commands.txt -Method Auto

# Use specific method - PowerShell Remoting
.\ghost-v2.ps1 -TargetComputer SERVER01 -CommandFile edr-test-commands.txt -Method PSRemoting

# Use WinRS for legacy systems
.\ghost-v2.ps1 -TargetComputer LEGACY01 -CommandFile edr-test-minimal.txt -Method WinRS

# Traditional WMI method
.\ghost-v2.ps1 -TargetComputer SERVER01 -CommandFile edr-test-commands.txt -Method WMI

Configuration File Format

The orchestrator uses JSON configuration files to define targets, credentials, and settings:

{
  "targets": [
    {
      "hostname": "SERVER01",
      "group": "servers",
      "credential": "default",
      "method": "auto|WMI|PSRemoting|WinRS",
      "commandFile": "edr-test-commands.txt"
    }
  ],
  "credentials": {
    "default": {
      "username": "DOMAIN\\User",
      "password": "SecurePassword"
    }
  },
  "settings": {
    "parallel": true,
    "throttleLimit": 5,
    "enablePivoting": true,
    "stopOnError": false
  }
}

Target Properties

  • hostname: Target computer name or IP address
  • group: Logical grouping for organization
  • credential: Reference to credential object
  • method: Execution method (auto detects best)
  • commandFile: Specific command file to execute

Execution Methods Comparison

Method Port Requirements Best For
WMI TCP 135, RPC DCOM, WMI Service Legacy systems
PSRemoting TCP 5985/5986 WinRM Service Modern Windows
WinRS TCP 5985/5986 WinRM Service Command-line only
Auto Various Tests all methods Mixed environments

Pivoting and Lateral Movement

Pivot Discovery Commands

# In command files, use the pivot directive
pivot HOSTNAME     # Mark host for pivot testing
lateral HOST CMD   # Execute on different target

Pivot Chain Example

The orchestrator can automatically test discovered pivot targets:

  1. Initial target executes discovery commands
  2. pivot commands mark new targets
  3. Orchestrator tests newly discovered targets
  4. Process repeats for multi-hop scenarios

Command File Format

Execution Commands

  • Direct CMD: whoami - Executes as cmd.exe /c whoami
  • Explicit CMD: cmd netstat -an - Runs specified CMD command
  • PowerShell: powershell Get-Process - Executes PowerShell command with encoding

Control Commands

  • sleep [ms]: Pause for specified milliseconds (e.g., sleep 2000)
  • wait [seconds]: Pause for specified seconds (e.g., wait 5)
  • log [message]: Add message to log file
  • checkpoint [name]: Create named checkpoint in log
  • #: Comment line (ignored)

File Transfer Commands

  • upload [local_file] [remote_path]: Upload file to remote system via UNC
    • Example: upload C:\local\file.txt C:\Temp\uploaded.txt
    • Example: upload malware.exe C:\Windows\Temp\test.exe
  • download [remote_file] [local_path]: Download file from remote system
    • Example: download C:\Windows\System32\config\SAM downloads\sam.txt
    • Example: download C:\Users\Admin\Documents\passwords.xlsx stolen.xlsx
  • mkdir [remote_path]: Create directory on remote system
    • Example: mkdir C:\Temp\Exfil
  • delete [remote_path]: Delete file on remote system
    • Example: delete C:\Temp\test.txt
  • copy [source] [destination]: Copy file on remote system
    • Example: copy C:\Users\Admin\data.txt C:\Temp\staged.txt

UNC Path Handling

The script automatically handles UNC path conversion:

  • Local paths like C:\Temp\file.txt are converted to \\COMPUTERNAME\C$\Temp\file.txt
  • Direct UNC paths like \\server\share\file.txt are used as-is
  • Credentials are applied when specified via -Credential parameter

Test Categories

Standard Suite (edr-test-commands.txt)

  • System reconnaissance
  • Process and service enumeration
  • Registry operations
  • File system operations
  • Persistence mechanism detection
  • Credential access patterns
  • Network activity patterns
  • Security software detection
  • Event log queries
  • Defense evasion patterns
  • Lateral movement preparation

Advanced Suite (edr-test-advanced.txt)

  • AMSI bypass detection
  • Living off the Land (LOLBAS) techniques
  • PowerShell suspicious patterns
  • WMI abuse patterns
  • Active Directory reconnaissance
  • Memory analysis patterns
  • Network tunneling detection
  • Code injection patterns
  • Privilege escalation patterns
  • Data staging patterns
  • Browser data access
  • Security product evasion

Minimal Suite (edr-test-minimal.txt)

  • Basic reconnaissance
  • Process discovery
  • Network discovery
  • PowerShell patterns
  • WMI activity

Safety Considerations

Pre-Testing Checklist

  1. Authorization: Ensure written authorization for target systems
  2. Environment: Test in isolated lab environment first
  3. Monitoring: Have SOC team aware of testing schedule
  4. Backup: Ensure system backups exist before testing
  5. Access: Use appropriate service accounts with limited privileges

Risk Mitigation

  • All commands are READ-ONLY by default (no system modifications)
  • Built-in delays prevent overwhelming target systems
  • Logging provides complete audit trail
  • Checkpoints allow for incremental testing

Network Security

  • WMI uses RPC (TCP 135) and dynamic RPC ports
  • Ensure firewall rules permit WMI traffic
  • Consider network segmentation implications
  • Monitor for lateral movement detection

Troubleshooting

Common Issues

WMI Connection Failed

Error: Failed to connect to TARGET
Solution: 
- Verify WMI service is running: sc \\target query winmgmt
- Check firewall rules for TCP 135 and RPC
- Verify credentials have remote WMI permissions

Access Denied

Error: Access denied
Solution:
- Add user to "Distributed COM Users" group
- Grant WMI namespace permissions
- Enable remote UAC token filtering if needed

Command Timeout

Error: Command execution timeout
Solution:
- Increase DefaultTimeout parameter
- Check if target system is responsive
- Verify network connectivity stability

Enabling WMI Access

# On target system (requires admin):
# Enable WMI service
Set-Service -Name winmgmt -StartupType Automatic
Start-Service winmgmt

# Configure firewall
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

# Set DCOM permissions
dcomcnfg.exe
# Navigate to Component Services > Computers > My Computer > Properties
# Security tab > Edit Default > Add user/group with Remote Access

Log Analysis

Log File Format

Logs are created with timestamp format: edr-test-YYYYMMDD-HHMMSS.log

Sample Log Entry

2024-01-15 14:30:45 [INFO] Testing WMI connection to SERVER01...
2024-01-15 14:30:46 [SUCCESS] Successfully connected to SERVER01 - OS: Windows Server 2019
2024-01-15 14:30:47 [INFO] Executing: cmd.exe /c whoami
2024-01-15 14:30:48 [SUCCESS] Command executed successfully - PID: 4532

Log Levels

  • INFO: General information
  • SUCCESS: Successful operations
  • WARNING: Non-critical issues
  • ERROR: Failed operations

Integration with EDR/SIEM

Detection Rules to Validate

  1. WMI Process Creation: ParentProcess = WmiPrvSE.exe
  2. Remote Command Execution: Network logon type + process creation
  3. PowerShell Encoded Commands: -EncodedCommand parameter
  4. LOLBAS Usage: Legitimate binaries in suspicious context
  5. Reconnaissance Activity: Multiple recon commands in sequence

Expected Alerts

  • Remote WMI activity
  • Encoded PowerShell execution
  • System enumeration
  • Registry queries for persistence
  • Network discovery commands
  • Security software enumeration

Best Practices

  1. Start Small: Begin with minimal test suite
  2. Document Results: Map commands to triggered alerts
  3. Iterate: Gradually increase test complexity
  4. Validate: Confirm all expected alerts are generated
  5. Tune: Adjust EDR rules based on gaps
  6. Regular Testing: Schedule periodic validation
  7. Version Control: Track command file changes

Legal and Compliance

WARNING: This tool executes remote commands and should only be used:

  • On systems you own or have explicit permission to test
  • In compliance with organizational security policies
  • With proper change management approval
  • Under supervision of security team

This framework is for defensive security testing only.

Contributing

To add new test patterns:

  1. Add commands to appropriate command file
  2. Use checkpoints to mark test sections
  3. Include appropriate sleep/wait delays
  4. Document the detection goal
  5. Test in isolated environment first

Version History

  • v1.0: Initial release with core WMI testing capability

Support

For questions or issues, consult your security team or EDR vendor documentation.

About

EDR/Analyst validation tool

Resources

Readme
Activity

Stars

16 stars

Watchers

0 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages