Releases: cmu-sei/GHOSTS
Releases · cmu-sei/GHOSTS
v8.0
GHOSTS v8 👻
Windows clients for this release:
ghosts v8.0.0 Win 64bit
ghosts v8.0.0 Win 32bit
Linux clients for this release:
ghosts v8.0.0 linux client
API
docker pull dustinupdyke/ghosts:latest
What's New
- Beginning of moving to websockets — NPCs are now "always connected" 📶 and do not need to "check in" in order to execute activities, althought these are still being built out, and the old check-in system is still in place for the time being.
- Adds ability to configure random timespans to a timeline for delaybefore or delayafter some activity is executed.
- Cleans up and simplifies configuration on client and server systems (breaking change). 🤖
- Updates all framework and dependency versions to latest (.NET8).
- NetOffice binary update, particularly negatively impacting Excel, forcing it to continually restart. Updated to latest (and new source) for NetOffice libraries across all Office products.
- Installation binaries are now baked into the API (download to client from your local installation)
Improvements
- "One docker-compose To Rule Them All" — we were seeing installs fail because of piecemeal installation of various ghosts modules. Now, there is a single docker-compose file that will install all of the necessary components for a GHOSTS system.
- Animator and SPECTRE merged into ghosts api proper.
- Animator job management is now done through the UI.
- API endpoints have been re-organized in a more logical fashion. 🗂
- Added a favicon. 💅
Bug Fixes 🐛
- Updates Grafana docker compose to not use root.
- Cleans up containers and ensures all are amd64 (not arm!).
- Fixes a bug to get the cmd window to stay open after running a command, despite attempts to use parameters to get it to stay open.
- Cmd now stays open, but this can have different outcomes based on the types of commands passed in, plus ghosts will reap windows in order to save on machine resources, so a used command window won't always be there later.
- New improved RDP, fixes an array of different connectivity bugs.
- Fixes bugs in delay before and after with fixed integer/long values over int maximum.
- Adds "log" level to application logs.
- Fixes documentation bug in machine group timelines.
7.3.0
Adds:
- initial websocket connection code to begin "always connected" agents, which allows for a faster turn around time for performing activities and coordinating things like social media, chat, etc. (this is very early, and is not production ready, this is in fact, just code to help test performance in a large environment...
- updated docker-compose that hopefully solves grafana not starting (removed root requirement)
- updates to net8.0, and all latest packages
- new ghosts logos
v7.2.0
Windows clients for this release:
Linux clients for this release:
API
This version features:
Download timeline from http|s url before doing anything (if this fails, the client falls back to local). New section for this in ./config/application.json:
"TimelineConfiguration": {
"Location": "https://raw.githubusercontent.com/cmu-sei/GHOSTS/6e04885809dfdceb138fbf9cdf1a1f795ea907ef/src/Ghosts.Client/config/timeline.json"
},or like this for local (basically disable download default timeline at startup):
"TimelineConfiguration": {
"Location": "config/timeline.json",
},
v7.0.0
Windows clients for this release:
Linux clients for this release:
This version features:
- Continued performance improvements
- Better clean-up of created client artifacts
- Improved Logging
- Handler enhancements for FF and Chrome Browsers, including:
- Complete forms
- Post payloads (images, files, etc.)
- Better UA string handling
- SharePoint
- Drupal
- New Jabber (XMPP) handler
- New RDP handler
- New sFTP handler
- New SSH handler
- Client now supports AutoIT (lots of features we might add here in the future)
- Fixed issue with bad cmd config (7.0.30.0)
v 7.0.111
- Cron-like scheduling
- Deny list for emails and browser URL handling
- auto-start management
- New outlook handlers
v6.2.0
This update requires more than the simple "update ghosts.exe and ghosts.domain.dll" due some new dependencies, but has no breaking changes (thus only the minor version revision).
- introduces Outlook handler command "click on a random link in an inbox email" (unless the link domain is in the deny list)
- introduces deny list (other features can potentially implement this in the future)
v6.1.0
BREAKING CHANGES:
- Finally drops support for Internet Explorer (IE). I am not aware of anyone using this handler
- Updates logging to latest due to some security concerns - nlog.config must be updated
- Updates internal logging to UTC (not the timeline history, this was already UTC)
Windows Client:
- Updates dependencies, including the latest versions of chrome and gecko drivers
- Adds randomization tokens to web browsing, such as document?id={uuid}, where GHOSTS replaces this token with a UUID at runtime for better randomization of URLs
- Adds the ability to save Office documents to an array of locations for better file save randomization
- Adds better browser handling of downloads (avoids blocking modal download windows)
- Removes lower-casing of emails when searching documents for next link to browse
- Cleans up several bugs with "working hours"
- Cleans up a specific bug with port listener threads dying
- Memory use should be significantly reduced
- Fixes export of PDFs where those files would be saved in the wrong directory
- Cleans up logging
- Cleans up handling of thread aborts which happen on shutdown or timeline change
- Fixed bug with outside email addresses
- Changed the cmd paradigm to avoid typing in wrong window errors
Other:
- Adds PANDORA Server
v6.0.0
The v6 release features:
- Moves everything (API, clients, resultant containers) to dotnetcore 6.0 (LTS)
- Scripted browsing for executing specific pathways — using Selenium IDE in browser to record specific browser activity, then export those instructions (as nunit or xunit tests) and drop the resulting .cs file in client directory and have it auto-execute
- Give each timeline a specific ID and make it stoppable, reportable
- API timeline updated to timelines - enabling query by machine or machine and timeline to retrieve client timelines
- Provide an API endpoint for querying trackables
- Callbacks for admin functions that aren't real-time (dissemination of timelines, etc.)
- Improved Linux support for Firefox. New Linux support for Google Chrome browsing
- Better link picking for "sticky" browsing
- Client timeline request (client send default timeline back to API) for Linux
- Client timeline request all (Windows and Linux)
- Linux client local survey (albeit limited functionality currently) and API endpoint (/api/surveys) to view
- General cleanup of the domain .dll, which is shared across all GHOSTS binaries: API, windows, and Linux clients
- Crawl mode for browser: Setting the command to
crawlsets the browser into spider mode, and it will browse all self-contained links to a site in the commandArgs array. Link depth is based on thestickinessnumber - but, the higher the number the longer it takes to complete a crawl of each site in the array.
Specific to the Windows client:
- Fixes issue with default timeline locking
- Fixes issue with GHOSTS created files being deleted too early by the safety net
- Adds pdf export for any office doc created
- Closes office document rather than leaving it open
- Adds greater variability to created documents - different text, formatting, etc.
API Installation
- For the API, the latest docker image is here which can be pulled via:
$ docker pull dustinupdyke/ghosts:6.0.2
- Don't forget to update the docker-compose.yml file if applicable.
- It is recommended to start with a new fresh Postgres database instance, so you may want to move the existing volume mapping to the host or create a new one via the docker-compose.yml file
Client Installation
Note — for the Linux client, I had to update geckodriver/chromedriver in order to match my OS and browser version.
v5.1.2
Moves dotnetcore to 5.0.0
Updates json serializers to get around issues with timespans and enums
v4.0.0.0
Breaking Changes from previous versions:
- C2 Database was a weird naming convention mix, this update changes tables to normal postgres format e.g. "table_names". This should be the last breaking change for the database for a long while. The future will be migrations for any database changes.
- Some new config values for the Client
Adds:
- Check for malformed timeline json and writes specific error to console and logs
Ability to Base64 encode (client) and decode (C2) the client workstation current username (for cases that include characters such as "š" or "ć") - Ability to pull content off shared drive (such as email content) via configuration
- Better API documentation via swagger
Removes:
- Dependency on Microsoft's Identity library (nobody seems to be using users to restrict all/portions of the API, and there are likely better ways to do this now in the future if we revisit) — this also made migrations janky
v3.1.1.0
Fixes problem with timeline args being object arrays and serialization. Moved these to strings proper.