Spawn processes outside of "ghosts.exe" parent process

[KammLote]

Hello,
Thank you very much for your work on Ghosts.

I'd like to deploy the tool to create real life activity on a Security detection lab. Yet, I realised that many of the processes (chromedriver.exe, notepad, ...) spawned by Ghost are child processes of the "ghosts.exe" process.

This "artificial" activity can be easily detected compared to manual activities (malicious activities in the case of a "SOC detection lab").

Thus, would there be a way to make those child processes spawn outside of the "ghosts.exe" parent process ?
It is for instance the case for Office processes:

Thanks for your reply !

[sei-dupdyke]

Hi, thanks for checking out the project.

We have looked into several techniques to break the connection between ghosts and the processes it controls, but for training and exercise purposes, we've not released this as most teams write it into the rules of engagement and exercising teams ignore it. Sorry.

[Cyb3r-Monk]

Would it be possible to share the code so that we can use it locally by compiling it?

[sei-dupdyke]

Negative, sorry.

[zaneGittins]

This does make it difficult to use ghost to simulate a realistic scenario. If your gathering host logs from the range, using Sysmon for example, the process chain will always lead back to ghost.exe making it trivial to identify automated activity initiated by the agent. What's the concern here? It seems like an integral feature for the project.

[sei-dupdyke]

I get it, and you're right, sorry. We avoid this by running the "bad" bits of activity on the network through other means or directly.

TBH, I haven't had bandwidth to look at or work on breaking this chain. There are some discussions for new efforts that would enable a great deal of new kinds of automation that might have us take a second look at this thought.