diff --git a/.nojekyll b/.nojekyll new file mode 100644 index 00000000..e69de29b diff --git a/404.html b/404.html new file mode 100644 index 00000000..8fde7e8c --- /dev/null +++ b/404.html @@ -0,0 +1,1326 @@ + + + + + + + + + + + + + + + + + + GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ +

404 - Not found

+ +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/advanced/cyclone/index.html b/advanced/cyclone/index.html new file mode 100644 index 00000000..295ab003 --- /dev/null +++ b/advanced/cyclone/index.html @@ -0,0 +1,1363 @@ + + + + + + + + + + + + + + + + + + + + + + Cyclone - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS CYCLONE Overview

+
+Unreleased +

Coming soon

+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/advanced/enchanter/index.html b/advanced/enchanter/index.html new file mode 100644 index 00000000..4363c542 --- /dev/null +++ b/advanced/enchanter/index.html @@ -0,0 +1,1363 @@ + + + + + + + + + + + + + + + + + + + + + + Enchanter (Keysender) - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS ENCHANTER Overview

+
+Unreleased +

Coming soon

+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/advanced/index.html b/advanced/index.html new file mode 100644 index 00000000..3389c930 --- /dev/null +++ b/advanced/index.html @@ -0,0 +1,1350 @@ + + + + + + + + + + + + + + + + + + + + + + GHOSTS Advanced Features Overview - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS Advanced Features Overview

+

The SEI is a research institute, and so we often are thinking about how to use GHOSTS in new ways to drive insight for our customers. Some of this work makes it here, with the caveat that it might be early beta editions or require some amount of engineer hand-holding in its current state. Some call it pre-release, we call it advanced features.

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/advanced/necromancer/index.html b/advanced/necromancer/index.html new file mode 100644 index 00000000..7fc15b8f --- /dev/null +++ b/advanced/necromancer/index.html @@ -0,0 +1,1361 @@ + + + + + + + + + + + + + + + + + + + + Necromancer - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS NECROMANCER Overview

+
+Unreleased +

Coming soon

+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/animator/index.html b/animator/index.html new file mode 100644 index 00000000..9e30ab5c --- /dev/null +++ b/animator/index.html @@ -0,0 +1,1414 @@ + + + + + + + + + + + + + + + + + + + + + + GHOSTS ANIMATOR Overview - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS ANIMATOR Overview

+
+GHOSTS ANIMATOR Source Code +

The GHOSTS ANIMATOR Source Code Repository is hosted on GitHub

+
+

Animator brings NPCs to life in two ways:

+
    +
  1. +

    Initial Creation

    +

    Animator creates the initial NPC profile, including details such as name, address, career, finances, and family members. Based on configuration, it can place users in a multi-level organizational structure, and establish relationships between users.

    +
    2. +
  2. +

    Animation Jobs

    +

    Via jobs that can be run during training and exercise events, Animator can update the NPC's preferences, beliefs, and relationships. This enables dynamic NPCs that change over time.

    +
    3. +
+

At its core, Animator is a realistic user detail generator. Its primary function is to create sufficiently realistic identities and accompanying verbose portfolios of personal information. Each generated user, or NPC (Non-Player Character) as we call them, has numerous categories of details associated with them, and a great deal of metadata that define who they are. Each piece of information is generated using sourced datasets in an attempt to distribute characteristics realistically. We like to say it creates, "NPCs so real, they sell for a premium on the dark web."1

+

Quick Start

+
git clone <https://github.com/cmu-sei/GHOSTS-ANIMATOR>
+cd ghosts-animator/src
+docker build . -t ghosts/animator
+docker compose up -d
+
+

or if you don't want to build and just run the latest docker-compose file:

+
mkdir ghosts-animator
+cd ghosts-animator
+curl https://github.com/cmu-sei/GHOSTS-ANIMATOR/blob/master/src/docker-compose.yml -o docker-compose.yml
+docker compose up -d
+
+

Now browse to http://localhost:5000/

+

Using Animator to Create NPCs

+

The data generated by Animator can be leveraged in multiple areas, but is particularly applicable in four key areas:

+
    +
  1. +

    Training Machine Learning Algorithms - Animator creates larges sets of hyper-realistic user data. It can be leveraged to generate data sets that can be used for training machine learning algorithms. This enables the rapid training of anthropology-related ML algorithms that can leverage one or more of the hundred-plus data points generated by Animator.2

    +
    2. +
  2. +

    Honeypot Payloads - NPC details generated by Animator are designed to be as realistic as possible given the available relevant open source information. This makes the user data convincingly real while still being completely fabricated. Therefore, the data is ideal for use in applications like honeypots, where the goal is to trick an attacker into thinking they are compromising an asset with real user data. This data is also perfect for any other application that would benefit from extremely realistic user information.

    +
    3. +
  3. +

    Insider Threat Modeling - Each Animator NPC is given an Insider Threat Profile. This profile determines how likely it is that the NPC is an insider threat by incorporating the CDSE's Insider Threat Potential Indicators. As we continue developing Animator, it will be possible to configure NPCs to be more or less likely to be insider threats based on factors like their finances, criminal history, foreign contacts, and mental health.

    +
    4. +
  4. +

    Social Network and Relationship Modeling - Animator can establish relationships between the NPCs it generates. As we increase the fidelity of inter-NPC relationships, Animator NPCs create larger and more realistic social networks. By leveraging Animator's ability to quickly generate thousands of inter-related NPCs, Animator can easily be used to perform social networking modeling and research.

    +
    5. +
+

How Creating NPCs Works

+
    +
  • Once Animator receives a request to create NPCs, it starts by creating an empty NPC Profile.
    • +
  • Animator then iterates through all 100+ data points for the NPC and generates synthetic data to be associated with that NPC.
    • +
  • Example data points are name, address, mental health, career, finances, and family members.
    • +
  • Data points are either generated at random or are generated using weighted randomization. Weighted randomization involves leveraging verified datasets to influence the distribution of randomly generated data points to match much more closely to reality.
    • +
  • Animator will complete this process for as many users as were selected by the request. This information can be exported through the API, or stored in a local database
    • +
+

Animator currently supports storing NPC data in a local Mongo Database. This feature is still being actively improved.

+
+
+
    +
  1. +

    The GHOSTS development team highly recommends Nick Bilton's book American Kingpin for insight into the early days of the dark web. 

    +
    2. +
  2. +

    A key developer from the Animator team went on to a position in the SEI's AI division. AI models need data. You connect the dots. 

    +
    3. +
+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/animator/jobs/index.html b/animator/jobs/index.html new file mode 100644 index 00000000..e5610b97 --- /dev/null +++ b/animator/jobs/index.html @@ -0,0 +1,1457 @@ + + + + + + + + + + + + + + + + + + + + + + Animation Jobs - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Animation Jobs

+

So, now we have Animator-generated NPCs, and they have profile information and preferences.

+

Animator has a job system that might enables us to push our simulation further:

+
    +
  • What motivates an agent?
    • +
  • What does an agent know and how did they learn that? How does their knowledge grow over time?
    • +
  • What relationships does an agent have off-network? How might this influence what they do on the computer?
    • +
  • What does an agent believe? How did they come to that belief?
    • +
+

Jobs operate on a "per cycle" or "step" basis. For each cycle, the job processes a list of agents, and the actions or determinations programmed for each.

+

Decision-Making Framework

+

We can use any combination of the following to drive agent decision-making:

+

Motivation

+

We implement the Reiss Motivational Profile (RMP) - which is a mathematical framework for reasoning about agent comparative motivations - agent A is twice as motivated by X than agent B - that is baselined every few years.

+

Relationships

+

Agents build relationships with other agents in the cohort. These get better or worse over time.

+

How this works is that each agent has the potential to interact with n other agents (they can also potentially transfer knowledge as a result). The more an agent knows about a particular subject, maybe the more likely they are to transfer information to another agent.

+

Knowledge

+

Agents build knowledge across an array of subjects that may alter their preferences. Within Animator, there are two main ways to learn:

+
    +
  • Independently through study or by utilizing resources such as books or videos
    • +
  • Through relationships with others at the coffee counter, through mentorship, or group-based learning (a classroom or team for example). Here NPCs learn via interactions with other agents, and the system tracks what was learned and from whom.
    • +
+

Belief

+

What an agent believes can directly influence their behavior. Beliefs shape understanding of the world and guide decision-making and problem-solving. Agents come to belief utilizing Bayes Theorem, which is a mathematical framework for reasoning about probability of evidence.

+
+

So what does this all mean? Here is an example where an agent shares bits of information on social media:

+

Some tweets contain no insight about the agent. Some disclose some bit of information:

+
    +
  • Agent knows X fact
    • +
  • Agent interacted with Y agent
    • +
  • Agent decided to disclose some personal detail Z
    • +
+

Other agents — and adversaries — can see and infer from this information!

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/animator/run/index.html b/animator/run/index.html new file mode 100644 index 00000000..6c0b0bb8 --- /dev/null +++ b/animator/run/index.html @@ -0,0 +1,1433 @@ + + + + + + + + + + + + + + + + + + + + + + Running Animations - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + Skip to content + + +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Running Animator Animations

+

Animator is a simulation of a population of agents. Animator runs in cycles, and for each cycle, the agents make decisions based on their attributes, preferences, motivations, and behaviors.

+

Setup

+
    +
  • Get the Animator API up and running as outlined here
    • +
  • Edit the appsettings.json file to enable Animations:
    • +
+
"ApplicationSettings": {
+    "GhostsApiUrl": "http://localhost:52388/",        // this should be root url of your ghosts API server
+    "Animations": {
+      "IsEnabled": false,                             // set this to true to enable animation jobs
+      "SocialGraph": {
+        "IsEnabled": false,                           // set this to true to enable the entire module (inc. web gui access)
+        "IsInteracting": false,                       // set this to true to actually run the interactions
+        "MaximumSteps": 4000,                         // animator stops when it reaches this many steps 
+        "TurnLength": 900,                            // by default, a step is a cpu cycle, the higher this number, the slower the simulation 
+        "ChanceOfKnowledgeTransfer": 0.3,
+        "Decay": {
+          "StepsTo": 10,
+          "ChanceOf": 0.05
+        }
+      },
+      "SocialSharing": {
+        "IsEnabled": false,                          // set this to true to enable the entire module (inc. web gui access)
+        "IsInteracting": false,                      // set this to true to actually run the interactions
+        "IsSendingTimelinesToGhostsApi": false,      // set this to true to actually send the timeline commands to the ghosts API
+        "IsChatGptEnabled": false,                   // this is still under development, here be dragons
+        "SocializerUrl": "http://socializer.com",    // change this to the root url of your in-game social server
+        "MaximumSteps": 14000,
+        "TurnLength": 9000                           // by default, a step is a cpu cycle, the higher this number, the slower the simulation 
+      },
+      "SocialBelief": {
+        "IsEnabled": false,                         // set this to true to enable the entire module (inc. web gui access)
+        "IsInteracting": false,                     // set this to true to actually run the interactions
+        "MaximumSteps": 14000,
+        "TurnLength": 9000
+      }
+    }
+  },
+  ...
+
+

After you update the appsettings.json file, you will need to restart the Animator API server via:

+
docker restart animator-api
+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/assets/images/favicon.png b/assets/images/favicon.png new file mode 100644 index 00000000..1cf13b9f Binary files /dev/null and b/assets/images/favicon.png differ diff --git a/assets/img/animator-logo.png b/assets/img/animator-logo.png new file mode 100644 index 00000000..e374d92d Binary files /dev/null and b/assets/img/animator-logo.png differ diff --git a/assets/img/crucible-icon-c-alpha.svg b/assets/img/crucible-icon-c-alpha.svg new file mode 100644 index 00000000..4b48a28c --- /dev/null +++ b/assets/img/crucible-icon-c-alpha.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/assets/img/ghosts.png b/assets/img/ghosts.png new file mode 100644 index 00000000..a2546349 Binary files /dev/null and b/assets/img/ghosts.png differ diff --git a/assets/img/npc-types.png b/assets/img/npc-types.png new file mode 100644 index 00000000..13c0ab46 Binary files /dev/null and b/assets/img/npc-types.png differ diff --git a/assets/javascripts/bundle.220ee61c.min.js b/assets/javascripts/bundle.220ee61c.min.js new file mode 100644 index 00000000..116072a1 --- /dev/null +++ b/assets/javascripts/bundle.220ee61c.min.js @@ -0,0 +1,29 @@ +"use strict";(()=>{var Ci=Object.create;var gr=Object.defineProperty;var Ri=Object.getOwnPropertyDescriptor;var ki=Object.getOwnPropertyNames,Ht=Object.getOwnPropertySymbols,Hi=Object.getPrototypeOf,yr=Object.prototype.hasOwnProperty,nn=Object.prototype.propertyIsEnumerable;var rn=(e,t,r)=>t in e?gr(e,t,{enumerable:!0,configurable:!0,writable:!0,value:r}):e[t]=r,P=(e,t)=>{for(var r in t||(t={}))yr.call(t,r)&&rn(e,r,t[r]);if(Ht)for(var r of Ht(t))nn.call(t,r)&&rn(e,r,t[r]);return e};var on=(e,t)=>{var r={};for(var n in e)yr.call(e,n)&&t.indexOf(n)<0&&(r[n]=e[n]);if(e!=null&&Ht)for(var n of Ht(e))t.indexOf(n)<0&&nn.call(e,n)&&(r[n]=e[n]);return r};var Pt=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports);var Pi=(e,t,r,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let o of ki(t))!yr.call(e,o)&&o!==r&&gr(e,o,{get:()=>t[o],enumerable:!(n=Ri(t,o))||n.enumerable});return e};var yt=(e,t,r)=>(r=e!=null?Ci(Hi(e)):{},Pi(t||!e||!e.__esModule?gr(r,"default",{value:e,enumerable:!0}):r,e));var sn=Pt((xr,an)=>{(function(e,t){typeof xr=="object"&&typeof an!="undefined"?t():typeof define=="function"&&define.amd?define(t):t()})(xr,function(){"use strict";function e(r){var n=!0,o=!1,i=null,s={text:!0,search:!0,url:!0,tel:!0,email:!0,password:!0,number:!0,date:!0,month:!0,week:!0,time:!0,datetime:!0,"datetime-local":!0};function a(O){return!!(O&&O!==document&&O.nodeName!=="HTML"&&O.nodeName!=="BODY"&&"classList"in O&&"contains"in O.classList)}function f(O){var Qe=O.type,De=O.tagName;return!!(De==="INPUT"&&s[Qe]&&!O.readOnly||De==="TEXTAREA"&&!O.readOnly||O.isContentEditable)}function c(O){O.classList.contains("focus-visible")||(O.classList.add("focus-visible"),O.setAttribute("data-focus-visible-added",""))}function u(O){O.hasAttribute("data-focus-visible-added")&&(O.classList.remove("focus-visible"),O.removeAttribute("data-focus-visible-added"))}function p(O){O.metaKey||O.altKey||O.ctrlKey||(a(r.activeElement)&&c(r.activeElement),n=!0)}function m(O){n=!1}function d(O){a(O.target)&&(n||f(O.target))&&c(O.target)}function h(O){a(O.target)&&(O.target.classList.contains("focus-visible")||O.target.hasAttribute("data-focus-visible-added"))&&(o=!0,window.clearTimeout(i),i=window.setTimeout(function(){o=!1},100),u(O.target))}function v(O){document.visibilityState==="hidden"&&(o&&(n=!0),Y())}function Y(){document.addEventListener("mousemove",N),document.addEventListener("mousedown",N),document.addEventListener("mouseup",N),document.addEventListener("pointermove",N),document.addEventListener("pointerdown",N),document.addEventListener("pointerup",N),document.addEventListener("touchmove",N),document.addEventListener("touchstart",N),document.addEventListener("touchend",N)}function B(){document.removeEventListener("mousemove",N),document.removeEventListener("mousedown",N),document.removeEventListener("mouseup",N),document.removeEventListener("pointermove",N),document.removeEventListener("pointerdown",N),document.removeEventListener("pointerup",N),document.removeEventListener("touchmove",N),document.removeEventListener("touchstart",N),document.removeEventListener("touchend",N)}function N(O){O.target.nodeName&&O.target.nodeName.toLowerCase()==="html"||(n=!1,B())}document.addEventListener("keydown",p,!0),document.addEventListener("mousedown",m,!0),document.addEventListener("pointerdown",m,!0),document.addEventListener("touchstart",m,!0),document.addEventListener("visibilitychange",v,!0),Y(),r.addEventListener("focus",d,!0),r.addEventListener("blur",h,!0),r.nodeType===Node.DOCUMENT_FRAGMENT_NODE&&r.host?r.host.setAttribute("data-js-focus-visible",""):r.nodeType===Node.DOCUMENT_NODE&&(document.documentElement.classList.add("js-focus-visible"),document.documentElement.setAttribute("data-js-focus-visible",""))}if(typeof window!="undefined"&&typeof document!="undefined"){window.applyFocusVisiblePolyfill=e;var t;try{t=new CustomEvent("focus-visible-polyfill-ready")}catch(r){t=document.createEvent("CustomEvent"),t.initCustomEvent("focus-visible-polyfill-ready",!1,!1,{})}window.dispatchEvent(t)}typeof document!="undefined"&&e(document)})});var cn=Pt(Er=>{(function(e){var t=function(){try{return!!Symbol.iterator}catch(c){return!1}},r=t(),n=function(c){var u={next:function(){var p=c.shift();return{done:p===void 0,value:p}}};return r&&(u[Symbol.iterator]=function(){return u}),u},o=function(c){return encodeURIComponent(c).replace(/%20/g,"+")},i=function(c){return decodeURIComponent(String(c).replace(/\+/g," "))},s=function(){var c=function(p){Object.defineProperty(this,"_entries",{writable:!0,value:{}});var m=typeof p;if(m!=="undefined")if(m==="string")p!==""&&this._fromString(p);else if(p instanceof c){var d=this;p.forEach(function(B,N){d.append(N,B)})}else if(p!==null&&m==="object")if(Object.prototype.toString.call(p)==="[object Array]")for(var h=0;hd[0]?1:0}),c._entries&&(c._entries={});for(var p=0;p1?i(d[1]):"")}})})(typeof global!="undefined"?global:typeof window!="undefined"?window:typeof self!="undefined"?self:Er);(function(e){var t=function(){try{var o=new e.URL("b","http://a");return o.pathname="c d",o.href==="http://a/c%20d"&&o.searchParams}catch(i){return!1}},r=function(){var o=e.URL,i=function(f,c){typeof f!="string"&&(f=String(f)),c&&typeof c!="string"&&(c=String(c));var u=document,p;if(c&&(e.location===void 0||c!==e.location.href)){c=c.toLowerCase(),u=document.implementation.createHTMLDocument(""),p=u.createElement("base"),p.href=c,u.head.appendChild(p);try{if(p.href.indexOf(c)!==0)throw new Error(p.href)}catch(O){throw new Error("URL unable to set base "+c+" due to "+O)}}var m=u.createElement("a");m.href=f,p&&(u.body.appendChild(m),m.href=m.href);var d=u.createElement("input");if(d.type="url",d.value=f,m.protocol===":"||!/:/.test(m.href)||!d.checkValidity()&&!c)throw new TypeError("Invalid URL");Object.defineProperty(this,"_anchorElement",{value:m});var h=new e.URLSearchParams(this.search),v=!0,Y=!0,B=this;["append","delete","set"].forEach(function(O){var Qe=h[O];h[O]=function(){Qe.apply(h,arguments),v&&(Y=!1,B.search=h.toString(),Y=!0)}}),Object.defineProperty(this,"searchParams",{value:h,enumerable:!0});var N=void 0;Object.defineProperty(this,"_updateSearchParams",{enumerable:!1,configurable:!1,writable:!1,value:function(){this.search!==N&&(N=this.search,Y&&(v=!1,this.searchParams._fromString(this.search),v=!0))}})},s=i.prototype,a=function(f){Object.defineProperty(s,f,{get:function(){return this._anchorElement[f]},set:function(c){this._anchorElement[f]=c},enumerable:!0})};["hash","host","hostname","port","protocol"].forEach(function(f){a(f)}),Object.defineProperty(s,"search",{get:function(){return this._anchorElement.search},set:function(f){this._anchorElement.search=f,this._updateSearchParams()},enumerable:!0}),Object.defineProperties(s,{toString:{get:function(){var f=this;return function(){return f.href}}},href:{get:function(){return this._anchorElement.href.replace(/\?$/,"")},set:function(f){this._anchorElement.href=f,this._updateSearchParams()},enumerable:!0},pathname:{get:function(){return this._anchorElement.pathname.replace(/(^\/?)/,"/")},set:function(f){this._anchorElement.pathname=f},enumerable:!0},origin:{get:function(){var f={"http:":80,"https:":443,"ftp:":21}[this._anchorElement.protocol],c=this._anchorElement.port!=f&&this._anchorElement.port!=="";return this._anchorElement.protocol+"//"+this._anchorElement.hostname+(c?":"+this._anchorElement.port:"")},enumerable:!0},password:{get:function(){return""},set:function(f){},enumerable:!0},username:{get:function(){return""},set:function(f){},enumerable:!0}}),i.createObjectURL=function(f){return o.createObjectURL.apply(o,arguments)},i.revokeObjectURL=function(f){return o.revokeObjectURL.apply(o,arguments)},e.URL=i};if(t()||r(),e.location!==void 0&&!("origin"in e.location)){var n=function(){return e.location.protocol+"//"+e.location.hostname+(e.location.port?":"+e.location.port:"")};try{Object.defineProperty(e.location,"origin",{get:n,enumerable:!0})}catch(o){setInterval(function(){e.location.origin=n()},100)}}})(typeof global!="undefined"?global:typeof window!="undefined"?window:typeof self!="undefined"?self:Er)});var qr=Pt((Mt,Nr)=>{/*! + * clipboard.js v2.0.11 + * https://clipboardjs.com/ + * + * Licensed MIT © Zeno Rocha + */(function(t,r){typeof Mt=="object"&&typeof Nr=="object"?Nr.exports=r():typeof define=="function"&&define.amd?define([],r):typeof Mt=="object"?Mt.ClipboardJS=r():t.ClipboardJS=r()})(Mt,function(){return function(){var e={686:function(n,o,i){"use strict";i.d(o,{default:function(){return Ai}});var s=i(279),a=i.n(s),f=i(370),c=i.n(f),u=i(817),p=i.n(u);function m(j){try{return document.execCommand(j)}catch(T){return!1}}var d=function(T){var E=p()(T);return m("cut"),E},h=d;function v(j){var T=document.documentElement.getAttribute("dir")==="rtl",E=document.createElement("textarea");E.style.fontSize="12pt",E.style.border="0",E.style.padding="0",E.style.margin="0",E.style.position="absolute",E.style[T?"right":"left"]="-9999px";var H=window.pageYOffset||document.documentElement.scrollTop;return E.style.top="".concat(H,"px"),E.setAttribute("readonly",""),E.value=j,E}var Y=function(T,E){var H=v(T);E.container.appendChild(H);var I=p()(H);return m("copy"),H.remove(),I},B=function(T){var E=arguments.length>1&&arguments[1]!==void 0?arguments[1]:{container:document.body},H="";return typeof T=="string"?H=Y(T,E):T instanceof HTMLInputElement&&!["text","search","url","tel","password"].includes(T==null?void 0:T.type)?H=Y(T.value,E):(H=p()(T),m("copy")),H},N=B;function O(j){"@babel/helpers - typeof";return typeof Symbol=="function"&&typeof Symbol.iterator=="symbol"?O=function(E){return typeof E}:O=function(E){return E&&typeof Symbol=="function"&&E.constructor===Symbol&&E!==Symbol.prototype?"symbol":typeof E},O(j)}var Qe=function(){var T=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{},E=T.action,H=E===void 0?"copy":E,I=T.container,q=T.target,Me=T.text;if(H!=="copy"&&H!=="cut")throw new Error('Invalid "action" value, use either "copy" or "cut"');if(q!==void 0)if(q&&O(q)==="object"&&q.nodeType===1){if(H==="copy"&&q.hasAttribute("disabled"))throw new Error('Invalid "target" attribute. Please use "readonly" instead of "disabled" attribute');if(H==="cut"&&(q.hasAttribute("readonly")||q.hasAttribute("disabled")))throw new Error(`Invalid "target" attribute. You can't cut text from elements with "readonly" or "disabled" attributes`)}else throw new Error('Invalid "target" value, use a valid Element');if(Me)return N(Me,{container:I});if(q)return H==="cut"?h(q):N(q,{container:I})},De=Qe;function $e(j){"@babel/helpers - typeof";return typeof Symbol=="function"&&typeof Symbol.iterator=="symbol"?$e=function(E){return typeof E}:$e=function(E){return E&&typeof Symbol=="function"&&E.constructor===Symbol&&E!==Symbol.prototype?"symbol":typeof E},$e(j)}function Ei(j,T){if(!(j instanceof T))throw new TypeError("Cannot call a class as a function")}function tn(j,T){for(var E=0;E0&&arguments[0]!==void 0?arguments[0]:{};this.action=typeof I.action=="function"?I.action:this.defaultAction,this.target=typeof I.target=="function"?I.target:this.defaultTarget,this.text=typeof I.text=="function"?I.text:this.defaultText,this.container=$e(I.container)==="object"?I.container:document.body}},{key:"listenClick",value:function(I){var q=this;this.listener=c()(I,"click",function(Me){return q.onClick(Me)})}},{key:"onClick",value:function(I){var q=I.delegateTarget||I.currentTarget,Me=this.action(q)||"copy",kt=De({action:Me,container:this.container,target:this.target(q),text:this.text(q)});this.emit(kt?"success":"error",{action:Me,text:kt,trigger:q,clearSelection:function(){q&&q.focus(),window.getSelection().removeAllRanges()}})}},{key:"defaultAction",value:function(I){return vr("action",I)}},{key:"defaultTarget",value:function(I){var q=vr("target",I);if(q)return document.querySelector(q)}},{key:"defaultText",value:function(I){return vr("text",I)}},{key:"destroy",value:function(){this.listener.destroy()}}],[{key:"copy",value:function(I){var q=arguments.length>1&&arguments[1]!==void 0?arguments[1]:{container:document.body};return N(I,q)}},{key:"cut",value:function(I){return h(I)}},{key:"isSupported",value:function(){var I=arguments.length>0&&arguments[0]!==void 0?arguments[0]:["copy","cut"],q=typeof I=="string"?[I]:I,Me=!!document.queryCommandSupported;return q.forEach(function(kt){Me=Me&&!!document.queryCommandSupported(kt)}),Me}}]),E}(a()),Ai=Li},828:function(n){var o=9;if(typeof Element!="undefined"&&!Element.prototype.matches){var i=Element.prototype;i.matches=i.matchesSelector||i.mozMatchesSelector||i.msMatchesSelector||i.oMatchesSelector||i.webkitMatchesSelector}function s(a,f){for(;a&&a.nodeType!==o;){if(typeof a.matches=="function"&&a.matches(f))return a;a=a.parentNode}}n.exports=s},438:function(n,o,i){var s=i(828);function a(u,p,m,d,h){var v=c.apply(this,arguments);return u.addEventListener(m,v,h),{destroy:function(){u.removeEventListener(m,v,h)}}}function f(u,p,m,d,h){return typeof u.addEventListener=="function"?a.apply(null,arguments):typeof m=="function"?a.bind(null,document).apply(null,arguments):(typeof u=="string"&&(u=document.querySelectorAll(u)),Array.prototype.map.call(u,function(v){return a(v,p,m,d,h)}))}function c(u,p,m,d){return function(h){h.delegateTarget=s(h.target,p),h.delegateTarget&&d.call(u,h)}}n.exports=f},879:function(n,o){o.node=function(i){return i!==void 0&&i instanceof HTMLElement&&i.nodeType===1},o.nodeList=function(i){var s=Object.prototype.toString.call(i);return i!==void 0&&(s==="[object NodeList]"||s==="[object HTMLCollection]")&&"length"in i&&(i.length===0||o.node(i[0]))},o.string=function(i){return typeof i=="string"||i instanceof String},o.fn=function(i){var s=Object.prototype.toString.call(i);return s==="[object Function]"}},370:function(n,o,i){var s=i(879),a=i(438);function f(m,d,h){if(!m&&!d&&!h)throw new Error("Missing required arguments");if(!s.string(d))throw new TypeError("Second argument must be a String");if(!s.fn(h))throw new TypeError("Third argument must be a Function");if(s.node(m))return c(m,d,h);if(s.nodeList(m))return u(m,d,h);if(s.string(m))return p(m,d,h);throw new TypeError("First argument must be a String, HTMLElement, HTMLCollection, or NodeList")}function c(m,d,h){return m.addEventListener(d,h),{destroy:function(){m.removeEventListener(d,h)}}}function u(m,d,h){return Array.prototype.forEach.call(m,function(v){v.addEventListener(d,h)}),{destroy:function(){Array.prototype.forEach.call(m,function(v){v.removeEventListener(d,h)})}}}function p(m,d,h){return a(document.body,m,d,h)}n.exports=f},817:function(n){function o(i){var s;if(i.nodeName==="SELECT")i.focus(),s=i.value;else if(i.nodeName==="INPUT"||i.nodeName==="TEXTAREA"){var a=i.hasAttribute("readonly");a||i.setAttribute("readonly",""),i.select(),i.setSelectionRange(0,i.value.length),a||i.removeAttribute("readonly"),s=i.value}else{i.hasAttribute("contenteditable")&&i.focus();var f=window.getSelection(),c=document.createRange();c.selectNodeContents(i),f.removeAllRanges(),f.addRange(c),s=f.toString()}return s}n.exports=o},279:function(n){function o(){}o.prototype={on:function(i,s,a){var f=this.e||(this.e={});return(f[i]||(f[i]=[])).push({fn:s,ctx:a}),this},once:function(i,s,a){var f=this;function c(){f.off(i,c),s.apply(a,arguments)}return c._=s,this.on(i,c,a)},emit:function(i){var s=[].slice.call(arguments,1),a=((this.e||(this.e={}))[i]||[]).slice(),f=0,c=a.length;for(f;f{"use strict";/*! + * escape-html + * Copyright(c) 2012-2013 TJ Holowaychuk + * Copyright(c) 2015 Andreas Lubbe + * Copyright(c) 2015 Tiancheng "Timothy" Gu + * MIT Licensed + */var rs=/["'&<>]/;Yo.exports=ns;function ns(e){var t=""+e,r=rs.exec(t);if(!r)return t;var n,o="",i=0,s=0;for(i=r.index;i0&&i[i.length-1])&&(c[0]===6||c[0]===2)){r=0;continue}if(c[0]===3&&(!i||c[1]>i[0]&&c[1]=e.length&&(e=void 0),{value:e&&e[n++],done:!e}}};throw new TypeError(t?"Object is not iterable.":"Symbol.iterator is not defined.")}function W(e,t){var r=typeof Symbol=="function"&&e[Symbol.iterator];if(!r)return e;var n=r.call(e),o,i=[],s;try{for(;(t===void 0||t-- >0)&&!(o=n.next()).done;)i.push(o.value)}catch(a){s={error:a}}finally{try{o&&!o.done&&(r=n.return)&&r.call(n)}finally{if(s)throw s.error}}return i}function D(e,t,r){if(r||arguments.length===2)for(var n=0,o=t.length,i;n1||a(m,d)})})}function a(m,d){try{f(n[m](d))}catch(h){p(i[0][3],h)}}function f(m){m.value instanceof et?Promise.resolve(m.value.v).then(c,u):p(i[0][2],m)}function c(m){a("next",m)}function u(m){a("throw",m)}function p(m,d){m(d),i.shift(),i.length&&a(i[0][0],i[0][1])}}function pn(e){if(!Symbol.asyncIterator)throw new TypeError("Symbol.asyncIterator is not defined.");var t=e[Symbol.asyncIterator],r;return t?t.call(e):(e=typeof Ee=="function"?Ee(e):e[Symbol.iterator](),r={},n("next"),n("throw"),n("return"),r[Symbol.asyncIterator]=function(){return this},r);function n(i){r[i]=e[i]&&function(s){return new Promise(function(a,f){s=e[i](s),o(a,f,s.done,s.value)})}}function o(i,s,a,f){Promise.resolve(f).then(function(c){i({value:c,done:a})},s)}}function C(e){return typeof e=="function"}function at(e){var t=function(n){Error.call(n),n.stack=new Error().stack},r=e(t);return r.prototype=Object.create(Error.prototype),r.prototype.constructor=r,r}var It=at(function(e){return function(r){e(this),this.message=r?r.length+` errors occurred during unsubscription: +`+r.map(function(n,o){return o+1+") "+n.toString()}).join(` + `):"",this.name="UnsubscriptionError",this.errors=r}});function Ve(e,t){if(e){var r=e.indexOf(t);0<=r&&e.splice(r,1)}}var Ie=function(){function e(t){this.initialTeardown=t,this.closed=!1,this._parentage=null,this._finalizers=null}return e.prototype.unsubscribe=function(){var t,r,n,o,i;if(!this.closed){this.closed=!0;var s=this._parentage;if(s)if(this._parentage=null,Array.isArray(s))try{for(var a=Ee(s),f=a.next();!f.done;f=a.next()){var c=f.value;c.remove(this)}}catch(v){t={error:v}}finally{try{f&&!f.done&&(r=a.return)&&r.call(a)}finally{if(t)throw t.error}}else s.remove(this);var u=this.initialTeardown;if(C(u))try{u()}catch(v){i=v instanceof It?v.errors:[v]}var p=this._finalizers;if(p){this._finalizers=null;try{for(var m=Ee(p),d=m.next();!d.done;d=m.next()){var h=d.value;try{ln(h)}catch(v){i=i!=null?i:[],v instanceof It?i=D(D([],W(i)),W(v.errors)):i.push(v)}}}catch(v){n={error:v}}finally{try{d&&!d.done&&(o=m.return)&&o.call(m)}finally{if(n)throw n.error}}}if(i)throw new It(i)}},e.prototype.add=function(t){var r;if(t&&t!==this)if(this.closed)ln(t);else{if(t instanceof e){if(t.closed||t._hasParent(this))return;t._addParent(this)}(this._finalizers=(r=this._finalizers)!==null&&r!==void 0?r:[]).push(t)}},e.prototype._hasParent=function(t){var r=this._parentage;return r===t||Array.isArray(r)&&r.includes(t)},e.prototype._addParent=function(t){var r=this._parentage;this._parentage=Array.isArray(r)?(r.push(t),r):r?[r,t]:t},e.prototype._removeParent=function(t){var r=this._parentage;r===t?this._parentage=null:Array.isArray(r)&&Ve(r,t)},e.prototype.remove=function(t){var r=this._finalizers;r&&Ve(r,t),t instanceof e&&t._removeParent(this)},e.EMPTY=function(){var t=new e;return t.closed=!0,t}(),e}();var Sr=Ie.EMPTY;function jt(e){return e instanceof Ie||e&&"closed"in e&&C(e.remove)&&C(e.add)&&C(e.unsubscribe)}function ln(e){C(e)?e():e.unsubscribe()}var Le={onUnhandledError:null,onStoppedNotification:null,Promise:void 0,useDeprecatedSynchronousErrorHandling:!1,useDeprecatedNextContext:!1};var st={setTimeout:function(e,t){for(var r=[],n=2;n0},enumerable:!1,configurable:!0}),t.prototype._trySubscribe=function(r){return this._throwIfClosed(),e.prototype._trySubscribe.call(this,r)},t.prototype._subscribe=function(r){return this._throwIfClosed(),this._checkFinalizedStatuses(r),this._innerSubscribe(r)},t.prototype._innerSubscribe=function(r){var n=this,o=this,i=o.hasError,s=o.isStopped,a=o.observers;return i||s?Sr:(this.currentObservers=null,a.push(r),new Ie(function(){n.currentObservers=null,Ve(a,r)}))},t.prototype._checkFinalizedStatuses=function(r){var n=this,o=n.hasError,i=n.thrownError,s=n.isStopped;o?r.error(i):s&&r.complete()},t.prototype.asObservable=function(){var r=new F;return r.source=this,r},t.create=function(r,n){return new xn(r,n)},t}(F);var xn=function(e){ie(t,e);function t(r,n){var o=e.call(this)||this;return o.destination=r,o.source=n,o}return t.prototype.next=function(r){var n,o;(o=(n=this.destination)===null||n===void 0?void 0:n.next)===null||o===void 0||o.call(n,r)},t.prototype.error=function(r){var n,o;(o=(n=this.destination)===null||n===void 0?void 0:n.error)===null||o===void 0||o.call(n,r)},t.prototype.complete=function(){var r,n;(n=(r=this.destination)===null||r===void 0?void 0:r.complete)===null||n===void 0||n.call(r)},t.prototype._subscribe=function(r){var n,o;return(o=(n=this.source)===null||n===void 0?void 0:n.subscribe(r))!==null&&o!==void 0?o:Sr},t}(x);var Et={now:function(){return(Et.delegate||Date).now()},delegate:void 0};var wt=function(e){ie(t,e);function t(r,n,o){r===void 0&&(r=1/0),n===void 0&&(n=1/0),o===void 0&&(o=Et);var i=e.call(this)||this;return i._bufferSize=r,i._windowTime=n,i._timestampProvider=o,i._buffer=[],i._infiniteTimeWindow=!0,i._infiniteTimeWindow=n===1/0,i._bufferSize=Math.max(1,r),i._windowTime=Math.max(1,n),i}return t.prototype.next=function(r){var n=this,o=n.isStopped,i=n._buffer,s=n._infiniteTimeWindow,a=n._timestampProvider,f=n._windowTime;o||(i.push(r),!s&&i.push(a.now()+f)),this._trimBuffer(),e.prototype.next.call(this,r)},t.prototype._subscribe=function(r){this._throwIfClosed(),this._trimBuffer();for(var n=this._innerSubscribe(r),o=this,i=o._infiniteTimeWindow,s=o._buffer,a=s.slice(),f=0;f0?e.prototype.requestAsyncId.call(this,r,n,o):(r.actions.push(this),r._scheduled||(r._scheduled=ut.requestAnimationFrame(function(){return r.flush(void 0)})))},t.prototype.recycleAsyncId=function(r,n,o){var i;if(o===void 0&&(o=0),o!=null?o>0:this.delay>0)return e.prototype.recycleAsyncId.call(this,r,n,o);var s=r.actions;n!=null&&((i=s[s.length-1])===null||i===void 0?void 0:i.id)!==n&&(ut.cancelAnimationFrame(n),r._scheduled=void 0)},t}(Wt);var Sn=function(e){ie(t,e);function t(){return e!==null&&e.apply(this,arguments)||this}return t.prototype.flush=function(r){this._active=!0;var n=this._scheduled;this._scheduled=void 0;var o=this.actions,i;r=r||o.shift();do if(i=r.execute(r.state,r.delay))break;while((r=o[0])&&r.id===n&&o.shift());if(this._active=!1,i){for(;(r=o[0])&&r.id===n&&o.shift();)r.unsubscribe();throw i}},t}(Dt);var Oe=new Sn(wn);var M=new F(function(e){return e.complete()});function Vt(e){return e&&C(e.schedule)}function Cr(e){return e[e.length-1]}function Ye(e){return C(Cr(e))?e.pop():void 0}function Te(e){return Vt(Cr(e))?e.pop():void 0}function zt(e,t){return typeof Cr(e)=="number"?e.pop():t}var pt=function(e){return e&&typeof e.length=="number"&&typeof e!="function"};function Nt(e){return C(e==null?void 0:e.then)}function qt(e){return C(e[ft])}function Kt(e){return Symbol.asyncIterator&&C(e==null?void 0:e[Symbol.asyncIterator])}function Qt(e){return new TypeError("You provided "+(e!==null&&typeof e=="object"?"an invalid object":"'"+e+"'")+" where a stream was expected. You can provide an Observable, Promise, ReadableStream, Array, AsyncIterable, or Iterable.")}function zi(){return typeof Symbol!="function"||!Symbol.iterator?"@@iterator":Symbol.iterator}var Yt=zi();function Gt(e){return C(e==null?void 0:e[Yt])}function Bt(e){return un(this,arguments,function(){var r,n,o,i;return $t(this,function(s){switch(s.label){case 0:r=e.getReader(),s.label=1;case 1:s.trys.push([1,,9,10]),s.label=2;case 2:return[4,et(r.read())];case 3:return n=s.sent(),o=n.value,i=n.done,i?[4,et(void 0)]:[3,5];case 4:return[2,s.sent()];case 5:return[4,et(o)];case 6:return[4,s.sent()];case 7:return s.sent(),[3,2];case 8:return[3,10];case 9:return r.releaseLock(),[7];case 10:return[2]}})})}function Jt(e){return C(e==null?void 0:e.getReader)}function U(e){if(e instanceof F)return e;if(e!=null){if(qt(e))return Ni(e);if(pt(e))return qi(e);if(Nt(e))return Ki(e);if(Kt(e))return On(e);if(Gt(e))return Qi(e);if(Jt(e))return Yi(e)}throw Qt(e)}function Ni(e){return new F(function(t){var r=e[ft]();if(C(r.subscribe))return r.subscribe(t);throw new TypeError("Provided object does not correctly implement Symbol.observable")})}function qi(e){return new F(function(t){for(var r=0;r=2;return function(n){return n.pipe(e?A(function(o,i){return e(o,i,n)}):de,ge(1),r?He(t):Dn(function(){return new Zt}))}}function Vn(){for(var e=[],t=0;t=2,!0))}function pe(e){e===void 0&&(e={});var t=e.connector,r=t===void 0?function(){return new x}:t,n=e.resetOnError,o=n===void 0?!0:n,i=e.resetOnComplete,s=i===void 0?!0:i,a=e.resetOnRefCountZero,f=a===void 0?!0:a;return function(c){var u,p,m,d=0,h=!1,v=!1,Y=function(){p==null||p.unsubscribe(),p=void 0},B=function(){Y(),u=m=void 0,h=v=!1},N=function(){var O=u;B(),O==null||O.unsubscribe()};return y(function(O,Qe){d++,!v&&!h&&Y();var De=m=m!=null?m:r();Qe.add(function(){d--,d===0&&!v&&!h&&(p=$r(N,f))}),De.subscribe(Qe),!u&&d>0&&(u=new rt({next:function($e){return De.next($e)},error:function($e){v=!0,Y(),p=$r(B,o,$e),De.error($e)},complete:function(){h=!0,Y(),p=$r(B,s),De.complete()}}),U(O).subscribe(u))})(c)}}function $r(e,t){for(var r=[],n=2;ne.next(document)),e}function K(e,t=document){return Array.from(t.querySelectorAll(e))}function z(e,t=document){let r=ce(e,t);if(typeof r=="undefined")throw new ReferenceError(`Missing element: expected "${e}" to be present`);return r}function ce(e,t=document){return t.querySelector(e)||void 0}function _e(){return document.activeElement instanceof HTMLElement&&document.activeElement||void 0}function tr(e){return L(b(document.body,"focusin"),b(document.body,"focusout")).pipe(ke(1),l(()=>{let t=_e();return typeof t!="undefined"?e.contains(t):!1}),V(e===_e()),J())}function Xe(e){return{x:e.offsetLeft,y:e.offsetTop}}function Kn(e){return L(b(window,"load"),b(window,"resize")).pipe(Ce(0,Oe),l(()=>Xe(e)),V(Xe(e)))}function rr(e){return{x:e.scrollLeft,y:e.scrollTop}}function dt(e){return L(b(e,"scroll"),b(window,"resize")).pipe(Ce(0,Oe),l(()=>rr(e)),V(rr(e)))}var Yn=function(){if(typeof Map!="undefined")return Map;function e(t,r){var n=-1;return t.some(function(o,i){return o[0]===r?(n=i,!0):!1}),n}return function(){function t(){this.__entries__=[]}return Object.defineProperty(t.prototype,"size",{get:function(){return this.__entries__.length},enumerable:!0,configurable:!0}),t.prototype.get=function(r){var n=e(this.__entries__,r),o=this.__entries__[n];return o&&o[1]},t.prototype.set=function(r,n){var o=e(this.__entries__,r);~o?this.__entries__[o][1]=n:this.__entries__.push([r,n])},t.prototype.delete=function(r){var n=this.__entries__,o=e(n,r);~o&&n.splice(o,1)},t.prototype.has=function(r){return!!~e(this.__entries__,r)},t.prototype.clear=function(){this.__entries__.splice(0)},t.prototype.forEach=function(r,n){n===void 0&&(n=null);for(var o=0,i=this.__entries__;o0},e.prototype.connect_=function(){!Wr||this.connected_||(document.addEventListener("transitionend",this.onTransitionEnd_),window.addEventListener("resize",this.refresh),va?(this.mutationsObserver_=new MutationObserver(this.refresh),this.mutationsObserver_.observe(document,{attributes:!0,childList:!0,characterData:!0,subtree:!0})):(document.addEventListener("DOMSubtreeModified",this.refresh),this.mutationEventsAdded_=!0),this.connected_=!0)},e.prototype.disconnect_=function(){!Wr||!this.connected_||(document.removeEventListener("transitionend",this.onTransitionEnd_),window.removeEventListener("resize",this.refresh),this.mutationsObserver_&&this.mutationsObserver_.disconnect(),this.mutationEventsAdded_&&document.removeEventListener("DOMSubtreeModified",this.refresh),this.mutationsObserver_=null,this.mutationEventsAdded_=!1,this.connected_=!1)},e.prototype.onTransitionEnd_=function(t){var r=t.propertyName,n=r===void 0?"":r,o=ba.some(function(i){return!!~n.indexOf(i)});o&&this.refresh()},e.getInstance=function(){return this.instance_||(this.instance_=new e),this.instance_},e.instance_=null,e}(),Gn=function(e,t){for(var r=0,n=Object.keys(t);r0},e}(),Jn=typeof WeakMap!="undefined"?new WeakMap:new Yn,Xn=function(){function e(t){if(!(this instanceof e))throw new TypeError("Cannot call a class as a function.");if(!arguments.length)throw new TypeError("1 argument required, but only 0 present.");var r=ga.getInstance(),n=new La(t,r,this);Jn.set(this,n)}return e}();["observe","unobserve","disconnect"].forEach(function(e){Xn.prototype[e]=function(){var t;return(t=Jn.get(this))[e].apply(t,arguments)}});var Aa=function(){return typeof nr.ResizeObserver!="undefined"?nr.ResizeObserver:Xn}(),Zn=Aa;var eo=new x,Ca=$(()=>k(new Zn(e=>{for(let t of e)eo.next(t)}))).pipe(g(e=>L(ze,k(e)).pipe(R(()=>e.disconnect()))),X(1));function he(e){return{width:e.offsetWidth,height:e.offsetHeight}}function ye(e){return Ca.pipe(S(t=>t.observe(e)),g(t=>eo.pipe(A(({target:r})=>r===e),R(()=>t.unobserve(e)),l(()=>he(e)))),V(he(e)))}function bt(e){return{width:e.scrollWidth,height:e.scrollHeight}}function ar(e){let t=e.parentElement;for(;t&&(e.scrollWidth<=t.scrollWidth&&e.scrollHeight<=t.scrollHeight);)t=(e=t).parentElement;return t?e:void 0}var to=new x,Ra=$(()=>k(new IntersectionObserver(e=>{for(let t of e)to.next(t)},{threshold:0}))).pipe(g(e=>L(ze,k(e)).pipe(R(()=>e.disconnect()))),X(1));function sr(e){return Ra.pipe(S(t=>t.observe(e)),g(t=>to.pipe(A(({target:r})=>r===e),R(()=>t.unobserve(e)),l(({isIntersecting:r})=>r))))}function ro(e,t=16){return dt(e).pipe(l(({y:r})=>{let n=he(e),o=bt(e);return r>=o.height-n.height-t}),J())}var cr={drawer:z("[data-md-toggle=drawer]"),search:z("[data-md-toggle=search]")};function no(e){return cr[e].checked}function Ke(e,t){cr[e].checked!==t&&cr[e].click()}function Ue(e){let t=cr[e];return b(t,"change").pipe(l(()=>t.checked),V(t.checked))}function ka(e,t){switch(e.constructor){case HTMLInputElement:return e.type==="radio"?/^Arrow/.test(t):!0;case HTMLSelectElement:case HTMLTextAreaElement:return!0;default:return e.isContentEditable}}function Ha(){return L(b(window,"compositionstart").pipe(l(()=>!0)),b(window,"compositionend").pipe(l(()=>!1))).pipe(V(!1))}function oo(){let e=b(window,"keydown").pipe(A(t=>!(t.metaKey||t.ctrlKey)),l(t=>({mode:no("search")?"search":"global",type:t.key,claim(){t.preventDefault(),t.stopPropagation()}})),A(({mode:t,type:r})=>{if(t==="global"){let n=_e();if(typeof n!="undefined")return!ka(n,r)}return!0}),pe());return Ha().pipe(g(t=>t?M:e))}function le(){return new URL(location.href)}function ot(e){location.href=e.href}function io(){return new x}function ao(e,t){if(typeof t=="string"||typeof t=="number")e.innerHTML+=t.toString();else if(t instanceof Node)e.appendChild(t);else if(Array.isArray(t))for(let r of t)ao(e,r)}function _(e,t,...r){let n=document.createElement(e);if(t)for(let o of Object.keys(t))typeof t[o]!="undefined"&&(typeof t[o]!="boolean"?n.setAttribute(o,t[o]):n.setAttribute(o,""));for(let o of r)ao(n,o);return n}function fr(e){if(e>999){let t=+((e-950)%1e3>99);return`${((e+1e-6)/1e3).toFixed(t)}k`}else return e.toString()}function so(){return location.hash.substring(1)}function Dr(e){let t=_("a",{href:e});t.addEventListener("click",r=>r.stopPropagation()),t.click()}function Pa(e){return L(b(window,"hashchange"),e).pipe(l(so),V(so()),A(t=>t.length>0),X(1))}function co(e){return Pa(e).pipe(l(t=>ce(`[id="${t}"]`)),A(t=>typeof t!="undefined"))}function Vr(e){let t=matchMedia(e);return er(r=>t.addListener(()=>r(t.matches))).pipe(V(t.matches))}function fo(){let e=matchMedia("print");return L(b(window,"beforeprint").pipe(l(()=>!0)),b(window,"afterprint").pipe(l(()=>!1))).pipe(V(e.matches))}function zr(e,t){return e.pipe(g(r=>r?t():M))}function ur(e,t={credentials:"same-origin"}){return ue(fetch(`${e}`,t)).pipe(fe(()=>M),g(r=>r.status!==200?Ot(()=>new Error(r.statusText)):k(r)))}function We(e,t){return ur(e,t).pipe(g(r=>r.json()),X(1))}function uo(e,t){let r=new DOMParser;return ur(e,t).pipe(g(n=>n.text()),l(n=>r.parseFromString(n,"text/xml")),X(1))}function pr(e){let t=_("script",{src:e});return $(()=>(document.head.appendChild(t),L(b(t,"load"),b(t,"error").pipe(g(()=>Ot(()=>new ReferenceError(`Invalid script: ${e}`))))).pipe(l(()=>{}),R(()=>document.head.removeChild(t)),ge(1))))}function po(){return{x:Math.max(0,scrollX),y:Math.max(0,scrollY)}}function lo(){return L(b(window,"scroll",{passive:!0}),b(window,"resize",{passive:!0})).pipe(l(po),V(po()))}function mo(){return{width:innerWidth,height:innerHeight}}function ho(){return b(window,"resize",{passive:!0}).pipe(l(mo),V(mo()))}function bo(){return G([lo(),ho()]).pipe(l(([e,t])=>({offset:e,size:t})),X(1))}function lr(e,{viewport$:t,header$:r}){let n=t.pipe(ee("size")),o=G([n,r]).pipe(l(()=>Xe(e)));return G([r,t,o]).pipe(l(([{height:i},{offset:s,size:a},{x:f,y:c}])=>({offset:{x:s.x-f,y:s.y-c+i},size:a})))}(()=>{function e(n,o){parent.postMessage(n,o||"*")}function t(...n){return n.reduce((o,i)=>o.then(()=>new Promise(s=>{let a=document.createElement("script");a.src=i,a.onload=s,document.body.appendChild(a)})),Promise.resolve())}var r=class extends EventTarget{constructor(n){super(),this.url=n,this.m=i=>{i.source===this.w&&(this.dispatchEvent(new MessageEvent("message",{data:i.data})),this.onmessage&&this.onmessage(i))},this.e=(i,s,a,f,c)=>{if(s===`${this.url}`){let u=new ErrorEvent("error",{message:i,filename:s,lineno:a,colno:f,error:c});this.dispatchEvent(u),this.onerror&&this.onerror(u)}};let o=document.createElement("iframe");o.hidden=!0,document.body.appendChild(this.iframe=o),this.w.document.open(),this.w.document.write(` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS Content Servers Overview

+

GHOSTS content servers are an evolving part of the framework. They exist for several reasons:

+
    +
  1. On an air-gapped network, where we are simulating some subset of the internet, we want more types of browsable content within that range — documents, spreadsheets, presentations, pdf files, streamed movies, and the like.
    2. +
  2. We want a broad range of URLs within a site we are representing in the range.
    3. +
  3. We want to simulate a document store, such as SharePoint, OneCloud, or similar, but without the hassle of installing and maintaining those actual systems.
    4. +
+
+

Research by Global WebIndex claims that globally, 59% of the world's population uses social media, and that the average daily use is 2 hours and 29 minutes (July 2022).

+
+

Air-gaps

+

Many ranges are air-gapped, which means they have no access to the wider internet. In these cases, recreating a reasonable facsimile of the internet is key to the training experience. While there are many systems that do this well, we often want to augment the scenario with a wider array of URL traffic, or we want to introduce more of certain kinds of content going across the wire. PANDORA was created to address these concerns. Shortly later, we added a social server as well.

+

Having to know valid URLs

+

The other problem is that the internet works by the client having to “know” the location of some resource via:

+
    +
  • Actually knowing the URL
    • +
  • Being referred from another page - I might know google.com and search for something, which gives me a reference to another page I was not aware of previously.
    • +
  • Inferring the URL from some like resource - If one is poking around and looking for something on a server, a slight change of URL often gives hints that get you to where you wanted to go.
    • +
  • Guessing - the proliferation of .com domains means that for something new, it's often fruitful to just try that thing.com and see if it works!
    • +
+

The problem here is that currently, clients must know valid URLs that actually exist out in a simulated greyspace (via TopGen, GreyBox, or otherwise), which limits the array of potential requests and creates range work to maintain. So we created GHOSTS PANDORA, which serves whatever clients ask for - if the request is for a doc file, the server creates a random doc file on the fly — in memory — and serves it back to the client. Pandora serves the following content types:

+
    +
  • html
    • +
  • css
    • +
  • js
    • +
  • doc|x
    • +
  • ppt|x
    • +
  • xls|x
    • +
  • mp4
    • +
  • pdf
    • +
  • gif
    • +
  • jpg
    • +
  • png
    • +
  • zip
    • +
  • msi
    • +
  • iso
    • +
  • other binary formats, etc.
    • +
+

Pandora has generic request handlers for each HTTP verb (GET, POST, etc.) and is deployed as a simple docker container. We configure it to handle a particular IP on a multiple-IP-enabled host machine. It works off any URL, but part of the solution involved introducing more randomness in the GHOSTS clients as well. Those clients now support a creative parameter-built URL system that can be configured to look something like this:

+
sharepoint.hello.com/{org}/{report_type}/{uuid}/{file_name}.{file_type}
+
+

These variables are processed at runtime, and produce a final url that might look something like:

+
sharepoint.hello.com/operations/maintenance/80e6af4e-5107-43b5-832f-0d8027efbd76/report.docx
+
+

In addition, Pandora supports “bad” payloads via configuration. Here the server responds to specific configured URLs to deploy planted injects. So clients can download malware in an exercise in a manner that is hard to differentiate based on URLs already seen within the event. The configuration looks like:

+
[payloads]
+1=/bad/payload/url/,some_bad.zip,application/zip
+
+

Where id=url,payload file, MIME response type.

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/content/pandora/index.html b/content/pandora/index.html new file mode 100644 index 00000000..d8098513 --- /dev/null +++ b/content/pandora/index.html @@ -0,0 +1,1532 @@ + + + + + + + + + + + + + + + + + + + + + + Pandora - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS PANDORA SERVER Overview

+
+Pandora is part of GHOSTS +

Pandora is within the GHOSTS Source Code Repository hosted on GitHub.

+
+

GHOSTS PANDORA is a web server that responds to a myriad of request types with randomized content generated in real-time. Used in conjunction with GHOSTS NPCs, the two can provide for agents that are periodically downloading content other than simple HTML and associated image, CSS, and js files.

+

Pandora

+

Running this server

+

As a Docker Container

+

Docker is the preferred way to run Pandora - mostly because this is how we run and test it before version releases.

+
    +
  1. Review the repository docker-compose.yml file
    2. +
  2. Run the following in your terminal
    3. +
+
mkdir ghosts-pandora
+cd ghosts-pandora
+curl https://raw.githubusercontent.com/cmu-sei/GHOSTS/master/src/ghosts.pandora/docker-compose.yml -o docker-compose.yml
+docker-compose up -d
+
+

Bare metal

+

This assumes the host server is a common Linux distribution. For images to render correctly, PIL or the more recent Pillow library is necessary. See here for more information on Pillow installation and configuration.

+
    +
  1. Using a Python 3 distribution >= 3.6.2
    2. +
  2. In the terminal run: pip install -r requirements.txt
    3. +
  3. Then run python app.py
    4. +
+

Capabilities

+

Handling requests by directory

+
    +
  • /api - All requests beginning with /api automatically respond with json. This includes:
      +
    • /api/users
      • +
    • /api/user/a320f971-b3d9-4b79-bb8d-b41d02572942
      • +
    • /api/reports/personnel
      • +
    +
    • +
  • /csv - All requests beginning with /csv automatically respond with csv. Like the above, this includes urls such as:
      +
    • /csv/users
      • +
    • /csv/user/winx.jalton
      • +
    • /csv/reports/HR/payroll
      • +
    +
    • +
  • /i, /img, /images - All requests beginning with these directories automatically respond with a random image of type [gif, jpg, png]. Examples:
      +
    • /i/v1/a9f6e2b7-636c-4821-acf4-90220f091351/f8f8b1f0-9aa5-4fc7-8880-379e3192748e/small
      • +
    • /images/products/184f3515-f49b-4e07-8c8b-7f978666df0e/view
      • +
    • /img/432.png
      • +
    +
    • +
  • /pdf - All requests respond with a random pdf document. Examples:
      +
    • /pdf/operations/SOP_Vault/a7f48bd5-84cb-43a1-8d3d-cd2c732ddff6
      • +
    • /pdf/products
      • +
    +
    • +
  • /docs - All requests respond with a random word document
    • +
  • /slides - All requests respond with a random powerpoint document
    • +
  • /sheets - All requests respond with a random excel document
    • +
+

Handling requests by type

+

For requests indicating a specific file type, there are several specific handlers built to respond with that particular kind of file, such as:

+
    +
  • .csv
    • +
  • Image requests [.gif, .ico, .jpg, .jpeg, .png]
    • +
  • .json
    • +
  • Office document requests
    • +
  • .doc, .docx
    • +
  • .ppt, .pptx
    • +
  • .xls, .xlsx
    • +
  • .pdf
    • +
+

So that a URL such as /users/58361185-c9f2-460f-ac45-cb845ba88574/profile.pdf would return a pdf document typically rendered right in the browser.

+

All unhandled request types, urls without a specific file indicator, or requests made outside specifically handled directories (from the preceding section) are returned as html, including:

+
    +
  • /docs/by_department/operations/users
    • +
  • /blog/d/2022/12/4/blog_title-text
    • +
  • /hello/index.html
    • +
+

Hiding malicious payloads for red-teaming

+

Pandora also can hide payloads in a particular request for things like red-teaming and such. This is done in the configuration file, and looks like this:

+
[payloads]
+1=/1/,a.zip,application/zip
+2=/2/users,b.zip,application/zip
+3=/3/some/report/url,c.zip,application/zip
+
+

Each record must be an incrementing integer with no duplication. The values are:

+
    +
  • The URL that this payload responds to
    • +
  • The local file (stored in ./payloads/) to be returned
    • +
  • The MIME type of the response
    • +
+

So for 1 in the example above, requests to /1/ return the a.zip file as an application/zip file.

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/content/social/index.html b/content/social/index.html new file mode 100644 index 00000000..1935f39c --- /dev/null +++ b/content/social/index.html @@ -0,0 +1,1387 @@ + + + + + + + + + + + + + + + + + + + + + + Pandora Social - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS PANDORA SOCIAL Overview

+
+PANDORA SOCIAL is still very early beta +

Here be dragons

+
+

The place where GHOSTS agents come to share their thoughts and information.

+

In the spirit of the original PANDORA, this server also responds to a very broad array of URLs but enables clients to POST/PUT/DELETE to it as well, for example:

+ + + + + + + + + + + + + + + + + + + + + +
RequestResponse
POST /images responds with a url to the saved image file
POST / responds with a randomly-generated streamed video
POST /users/michelle_smith/af2d00aa-4a89-4af3-baff-1746b556e7a1/ responds with a reply to the original user's social post
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/api/index.html b/core/api/index.html new file mode 100644 index 00000000..c13876f8 --- /dev/null +++ b/core/api/index.html @@ -0,0 +1,1500 @@ + + + + + + + + + + + + + + + + + + + + + + GHOSTS Core API Overview - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS Core API Overview

+
+GHOSTS Source Code +

The GHOSTS Source Code Repository is hosted on GitHub.

+
+

The GHOSTS API enables the control and orchestration of non-player characters (NPCs) within a deployment. It supports logging, reporting, and managing individual, groups of, or entire deployments of client installs.

+

Installation

+
    +
  1. Install 🐳 Docker
    2. +
  2. Install Docker Compose
    3. +
  3. Run the following commands - we'll use this docker-compose.yml file
    4. +
+
mkdir ghosts
+cd ghosts
+curl https://raw.githubusercontent.com/cmu-sei/GHOSTS/master/src/Ghosts.Api/docker-compose.yml -o docker-compose.yml
+docker-compose up -d
+
+

The required containers will be downloaded and configured automatically.

+

Once the last command completes, if you open http://localhost:5000/api/home in your browser, you should see the initial API page outlining the version of the install, and a few test machine entries. If this page renders, your API is up, running, and available.

+

You will still need to set up Grafana. Beware that you must often chown the host location of the container as listed in the docker-compose file or the container will just continually restart in error due to insufficient permissions.

+

Configuring the API

+

The API generally has good defaults to get you up and running quickly, but there are some considerations in the appconfig.json file:

+
    "ClientSettings": {
+        "OfflineAfterMinutes": 30, ...
+        "MatchMachinesBy": null,
+
+

Can be fqdn|host|resolvedhost|null - null tells the API to match incoming requests with machine records by the machine name. For installations where multiple domains are reporting into the same API, you probably want to use FQDN in order to avoid machines being duplicated.

+
"QueueSyncDelayInSeconds": 10,
+"NotificationsQueueSyncDelayInSeconds": 10,
+
+

This is how often the synch job runs. Incoming machine requests are not real-time in order to best bundle like records together.

+

Configuring Grafana

+
    +
  • Grafana will be running (if containerized) on port 3000, and we can access it via the same URL we use for the API.
    • +
  • The default login is admin/admin.
    • +
  • The first step is to set up a datasource named "ghosts" to the ghosts Postgres database.
    • +
  • Now import your choice of the grafana json files in this repository. It creates the default GHOSTS dashboard.
    • +
+

Webhooks

+

The GHOSTS API provides webhook callbacks based on the configuration on the endpoint: /api/webhooks. The payload for creating a webhook is in the format:

+
{
+  "status": 0,
+  "description": "some description",
+  "postbackUrl": "http://localhost/endpoint:port",
+  "postbackMethod": 0, (0 == get, 1 == post)
+  "postbackFormat": "see below"
+}
+
+

Payloads can be any format — here is a sample:

+
{
+ 'machine':'[machinename]',
+ 'created':'[datetime.utcnow]',
+ 'type':'[messagetype]',
+ 'payload':'[messagepayload]'
+}
+
+

On send, the payload will be converted into the correct JSON format:

+
{
+ "machine":"some_guid",
+ "created":"some_datetime",
+ "type":"some_message",
+ "payload":"some_payload"
+}
+
+

If the postback method is POST, the payload will be sent as the message body. If the postback method is GET, the payload will be sent as part of the querystring value ?message=payload.

+

The following events are reported via webhooks:

+
    +
  1. Timeline delivered (with the timeline that was delivered as payload) to a machine via API (original API posting of timeline only holds timeline in wait - the client still must check-in in order for that timeline to be delivered)
    2. +
  2. Machine requested updates ("checked in") from API
    3. +
  3. Machine posted results to API
    4. +
+

Troubleshooting

+
+

Is the API up and running?

+
+
    +
  • Go to /api/home in the browser, it should return the current API version and the number of machines and groups under management. If it says relationship not found, restart the API application and it should create the database automatically.
    • +
  • Run docker ps --all and see that all containers are running normally. If one or more is not running, look at the logs for that machine via docker logs [machine name].
    • +
+
+

The ClientId, ClientResults, and other Client* endpoints are failing.

+
+

The Client* endpoints are for the Clients to use only. There are specific header values set by the client in the request that is used to authenticate the request. If you are not using the client, you will not have these headers set, and these endpoints will fail.

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/api/timelines/index.html b/core/api/timelines/index.html new file mode 100644 index 00000000..755d68ca --- /dev/null +++ b/core/api/timelines/index.html @@ -0,0 +1,1479 @@ + + + + + + + + + + + + + + + + + + + + + + Managing Timelines - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Managing Timelines

+

One of the primary capabilities of the API is to manage multiple client timelines. Timelines are the mechanism for clients to perform actions on behalf of a user. For example, a client might execute a timeline to browse a website, create a document, or other Handler activities.

+

Clients are configured to check in periodically with the API to report their current state and to check if any updates are available. We can have the API hold an update for the next time a client, group of clients, or all clients check in. That update will then be processed by the client and the client will report back to the API that the update has been processed. This allows the API to manage the state of the client and to ensure that the client is always up to date. So the process is:

+
    +
  1. We configure an update for a client or group of clients in the API.
    2. +
  2. Clients check in and are told that an update is available.
    3. +
  3. The client processes the update and reports back to the API that the update has been processed.
    4. +
+

Configuring a Timeline for a Client

+

Client timelines are updated via POST to /api/timelines in the following format:

+
{
+  "machineId": "3fa85f64-5717-4562-b3fc-2c963f66afaf",
+  "type": 0,
+  "activeUtc": "2023-03-08T16:38:04.002Z",
+  "status": 0,
+  "update": {
+    "status": 0,
+    "timeLineHandlers": [
+      {
+        "handlerType": 0,
+        "initial": "string",
+        "utcTimeOn": {
+          "ticks": 0
+        },
+        "utcTimeOff": {
+          "ticks": 0
+        },
+        "handlerArgs": {
+          "additionalProp1": "string",
+          "additionalProp2": "string",
+          "additionalProp3": "string"
+        },
+        "loop": true,
+        "timeLineEvents": [
+          {
+            "trackableId": "string",
+            "command": "string",
+            "commandArgs": [
+              "string"
+            ],
+            "delayAfter": 0,
+            "delayBefore": 0
+          }
+        ]
+      }
+    ]
+  }
+}
+
+

The key values to consider here are: The machine ID that you want to update, the other key value is the type of timeline. The type is an integer value that represents the type of update. The following are the types of updates that are currently supported:

+
    +
  • Timeline = 0 // this
    • +
  • Health = 1
    • +
  • TimelinePartial = 10 // this the agent is currently doing off its default timeline
    • +
  • RequestForTimeline = 20
    • +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IDTypeDescription
0TimelineReplaces the client's default timeline stored within ./config/timeline.json
1HealthThis updates a client's health instructions
10TimelinePartialDoes not replace the default timeline, rather this timeline is executed immediately on separate threads from whatever
20RequestForTimelineUse this to instruct the client to send its current default timeline up to the API
+

The remainder of the settings are for the timeline - basically what we are doing here is sending a client a new timeline, with the above values to indicate, which machine and what to change in the update node.

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/client/index.html b/core/client/index.html new file mode 100644 index 00000000..d5181a9b --- /dev/null +++ b/core/client/index.html @@ -0,0 +1,1733 @@ + + + + + + + + + + + + + + + + + + + + + + GHOSTS Core Client Overview - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS Core Client Overview

+
+GHOSTS Source Code +

The GHOSTS Source Code Repository is hosted on GitHub.

+
+

The GHOSTS client simulates what anyone might do at a computer given their particular role or membership within some team. It creates documents, browses websites, downloads files, and uses all sorts of popular applications on many versions of Windows and Linux machines. Whether you're a friendly administrator or a powerful cyber adversary, GHOSTS can replicate your expected behavior.

+

Types of NPCs

+

GHOSTS has many use cases in cyber training and exercises, most notably for bringing non-player characters (NPCs) to life, but it can also be used for other purposes where realistic activity on a computer or network is needed - testing or generating datasets, for example.

+
+Do I need the API? +

Although clients are fully functional without the API server, the latter enables logging, reports, and remote administration capabilities. Without the API, changes to clients must be managed in some other manner.

+
+

The client's configuration and command system are file-based, so if you do not wish to use the API, you can manage these through some other tool, such as Ansible or similar. All of these files are under the client's install location.

+
+Run as the NPC you're representing +

The GHOSTS client should typically be run as a user, and not as administrator or root - training or exercising teams will notice this immediately.

+
+

The Windows Client

+

GHOSTS on Windows (Win10 and Win7 currently supported) is a .NET Console application that performs user activity on client workstations - web browsing, working with office documents, using the command prompt or PowerShell, etc. Our team typically installs the client in an out-of-game directory (c:\exercise\ghosts\), where no event or injects will originate. It is recommended you verify one working client before deploying to multiple machines. You will need the base URL from the API installation for the client to communicate home.

+

Windows Installation

+ +

Unzip to your client machine in a directory such as c:\exercise\ghosts. You will need to adjust the configuration in config/application.json for your client to talk to your an installed instance of the GHOSTS API server.

+
+Additional configuration required for web browsing +

For any client utilizing the Firefox or Chrome web browser, an automation driver is necessary to be included in the same folder as the GHOSTS binary. For Firefox, download the appropriate 🦎  Geckodriver for your version of the browser here . For Chrome, download the appropriate Chromedriver for your version of the browser here .

+
+
+Additional configuration required for email +

Using the Windows client email functions requires the use of Redemption which provides robust Outlook automation. The full Redemption library should be found in /lib.

+
+

Linux Client

+

Your client Linux machine will need to have the latest Microsoft dotnetcore runtime installed (Note that for the GHOSTS client, there are versions for dotnetcoreapp3.1 - this will eventually go away — and dotnet6.0, which is long term support (LTS) and will stick around for a while). Again, note that you only need the runtime installed, not the full SDK.

+

Linux Installation

+ +

Unzip to a folder such as ~/ghosts for the user that you want GHOSTS to run as.

+

Note that on Linux machines running the client as root and utilizing web browsing may result in failures due to Gecko/Chromedriver display issues.

+

Client Directory Structure

+
+Do not copy the instance folder +

You should never copy the instance folder from one machine to another.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
FolderDescription
config/configuration files are stored here.
instance/generated files and information relative to this particular installed instance of ghosts is stored here. This folder should never be copied from one machine to another
lib/third-party libraries used by ghosts are stored here
logs/output logs for the installed instance (logs/app.log), and logs that are transferred to the server (logs/clientupdates.log)
+

Configuration Quick Start

+

After unzipping the GHOSTS client, we can simply double-click it to run. Note that the console window likely printed a few messages, but then disappeared. This is normal, in production mode GHOSTS hides itself. We can see it in the Windows Task Manager, however, and we can kill the process from there. We can also run the included kill-ghosts.bat file that closes the application and any applications it might control.

+

Beyond this initial step of verifying that the client will run, there are two files that we might need to adjust to fit many deployments:

+

application.json

+

In this file, often all we need to change are the URLs for the API, IdUrl, ClientResultsUrl, ClientUpdatesUrl, and the like. Change the hostname to your installed API location, and GHOSTS should check in as expected.

+
{
+    "IdEnabled": true,                                                      //enabled in order to command and control from api (C2) server
+    "IdUrl": "http://yourapiurl.com/api/clientid",                          //url for API endpoint to get clientid
+    "ClientResultsEnabled": true,                                           //enabled to report results to C2
+    "ClientResultsUrl": "http://yourapiurl.com/api/clientresults",          //url for API endpoint to report results
+    "ClientResultsCycleSleep": 90,                                          //report results every x ms
+    "ClientUpdatesEnabled": true,                                           //enabled to get updates from C2
+    "ClientUpdatesUrl": "http://yourapiurl.com/api/clientupdates",          //url for API endpoint to get updates
+    "ClientUpdatesCycleSleep": 90,                                          //check for updates every x ms
+    "Survey": {                                                             //survey is a local report of processes running, etc.
+        "IsEnabled": true,                                                  //on/off
+        "Frequency": "once",                                                //how often to survey
+        "MaxAgeInHours": 168,                                               //how long to wait until new survey
+        "OutputFormat": "indent"                                            //compact/fancy(indent)
+    },
+    "HealthIsEnabled": true,                                                //enable local health checks
+    "HandlersIsEnabled": true,                                              //enable local timeline activity
+    "ChromeExtensions": "",                                                 //comma separated local extensions (used for injects in the past)
+    "FirefoxInstallLocation": "",                                           //geckodriver needs this for non-standard installs (is pesky)
+    "FirefoxMajorVersionMinimum": 48,                                       //geckodriver is picky about versions
+    "OfficeDocsMaxAgeInHours": 6,                                           //cleanup kills docs in the documents folder older than this setting
+}
+
+

timeline.json

+

The other file we may want to adjust is the default timeline. This is what the agent does all day, including browsing the internet, creating documents, and similar. The defaults hopefully give you a good idea of what is possible, and of course, the array of configurations here is endless - be creative!

+

The primary item is the HandlerType. This tells GHOSTS to run a command (Command), use Firefox to browse an array of websites (BrowserFirefox), create Excel documents (Excel) and so on. Some of the other items related to a handler's configuration are:

+
    +
  • Initial: The initial command for a handler to execute. For a web browser, you might enter either a URL or "about:blank".
    • +
  • UtcTimeOn | UtcTimeOff: "00:00:00": "24:00:00" to not shut off. Otherwise, enter an on and an off time to simulate things such as office hours of 9-5, etc. There are 30 minutes of jitter plus or minus from the time entered.
    • +
  • Loop: Set this to true to continue to execute this same command on a loop, or false to execute something just one time.
    • +
+
{
+   "HandlerType": "Command",
+   "Initial": "",
+   "UtcTimeOn": "00:00:00",
+   "UtcTimeOff": "24:00:00",
+   "Loop": "True",
+   "TimeLineEvents": [
+      {
+         "Command": "NETSTAT",    
+         "CommandArgs": [],
+         "DelayAfter": 900000,
+         "DelayBefore": 0
+      }
+   ]
+}
+
+

To access a network share file, the command might be: net use X:\SERVER\Share

+

To RDP to another machine: mstsc.exe {ConnectionFile | /v:ServerName[:Port]} [/console] [/f] [/w:Width/h:Height]

+

/v - specifies the remote computer and port (optional) you wish to connect to +/console – connects to the console of a Windows Server 2003 based system +/f – starts the remote desktop connection in full screen mode +/w & /h – specifies the width and height of the remote desktop connection

+

Actions can also be created for standard copy/move/deletion of files via their respective commands.

+

Chrome

+

We have to pass the browser window an initial value. If we don't want it to go anywhere at start, we could pass about:blank, otherwise we'd pass a url. These can be http or https.

+
{
+   "HandlerType": "BrowserChrome",
+   "Initial": "http://google.com",
+   "UtcTimeOn": "00:00:00",
+   "UtcTimeOff": "24:00:00",
+   "Loop": "True",
+   "TimeLineEvents": [
+      {
+         "Command": "random",
+         "CommandArgs": [
+            "http://google.com",
+            "http://facebook.com",
+         ],
+         "DelayAfter": 1000,
+         "DelayBefore": 0
+      }
+   ]
+}
+
+

Excel, PowerPoint, Word

+
{
+   "HandlerType": "Word",
+   "Initial": "",
+   "UtcTimeOn": "00:00:00",
+   "UtcTimeOff": "24:00:00",
+   "Loop": "True",
+   "TimeLineEvents": [
+      {
+         "Command": "create",
+         "CommandArgs": [ "%homedrive%%homepath%\\Documents" ],
+         "DelayAfter": 900000,
+         "DelayBefore": 0
+      }
+   ]
+}
+
+

Trackables

+

For specific Timeline Events where the outcome is needed to be tracked, like for example, a client machine spawned inject, use a Trackable (via TrackableId in the following example):

+
{
+    "TimeLineHandlers": [
+        {
+            "HandlerType": "BrowserChrome",
+            "Initial": "about:blank",
+            "UtcTimeOn": "00:00:00",
+            "UtcTimeOff": "24:00:00",
+            "Loop": false,
+            "TimeLineEvents": [
+                {
+                    "Command": "browse",
+                    "CommandArgs": [ "https://dl.dafont.com/dl/?f=italian_breakfast" ],
+                    "DelayAfter": 0,
+                    "DelayBefore": 0
+                },
+                {
+                    "Command": "download",
+                    "CommandArgs": [ "//a[contains(@class, 'dl')]" ],
+                    "TrackableId": "<guid id from trackables table/>",
+                    "DelayAfter": 0,
+                    "DelayBefore": 0
+                }
+            ]
+        },
+        {
+            "HandlerType": "Command",
+            "Initial": "",
+            "UtcTimeOn": "00:00:00",
+            "UtcTimeOff": "24:00:00",
+            "Loop": false,
+            "TimeLineEvents": [
+                {
+                    "Command": "cd %homedrive%%homepath%\\Downloads",
+                    "CommandArgs": [
+                        "powershell expand-archive -Path italian_breakfast.zip -destinationpath x",
+                        "cd x",
+                        "dir"
+                    ],
+                    "TrackableId": "<guid id from trackables table/>",
+                    "DelayAfter": 10,
+                    "DelayBefore": 10000
+                }
+            ]
+        }
+    ]
+}
+
+

Troubleshooting

+
+

Clients aren't running (immediately exiting, throwing copious exceptions, or similar)

+
+
    +
  • Is the dotnet framework runtime 4.x installed on the machine?
    • +
  • If GPO is doing white-listing of what apps can run, is ghosts.exe white-listed?
    • +
  • Will the client run by simply double-clicking on the exe?
    • +
  • Does it report anything to the windows application event logs?
    • +
  • What's in logs/app.log?
    • +
  • Is the ghosts executable set to execute automatically when the machine restarts?
    • +
+
+

Clients aren't reporting their activity to the API

+
+
    +
  • Is the client running correctly? (if not, see above)
    • +
  • Is there entries in the logs/clientupdates.log?
    • +
  • If there are, is the file too large? (Try removing it, ghosts might be hung trying to process a lot of log data)
    • +
  • If the folder instance created? Does the file instance/id.json exist? (If it does and has an ID within, then ghosts has reported home to the api at least once)
    • +
  • The file logs/app.log indicating any fatal issues? (Logging can be ratcheted up and down via nlog configuration)
    • +
+
+

Can I update what clients are doing?

+
+
    +
  • Clients operate off their config/timeline.json file and this can be updated via Powershell, Ansible, or other means - it's just a file.
    • +
  • Clients can also do just-in-time activities via the instance/timeline/in folder. Anything placed here will be picked up, executed, and moved to the corresponding out folder once complete. This does not affect any activity currently controlled with the default timeline file.
    • +
+
+

Can I reset a client on a box?

+
+
    +
  • Yes, launching a new instance of Ghosts kills the previous one and all associated tasks from the timeline (any instances of Word, PowerShell, etc.). Only one instance of Ghosts will be running on a client box at any time. We can also run the .bat script kill-ghosts.bat included in the distribution to clean everything up.
    • +
+
+

What is the easiest way to determine the running version of the client?

+
+
    +
  • run the version flag: ghosts.exe --version
    • +
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/blog_helper/index.html b/core/handlers/blog_helper/index.html new file mode 100644 index 00000000..8fb41ce7 --- /dev/null +++ b/core/handlers/blog_helper/index.html @@ -0,0 +1,1358 @@ + + + + + + + + + + + + + + + + + + + + + + Blogs/Drupal - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Blogs/Drupal

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/browser/index.html b/core/handlers/browser/index.html new file mode 100644 index 00000000..0b6638fd --- /dev/null +++ b/core/handlers/browser/index.html @@ -0,0 +1,1418 @@ + + + + + + + + + + + + + + + + + + + + + + Web Browsers (Firefox|Chrome) - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Web Browser (Firefox|Chrome) Configuration

+

A sample timeline for each browser is available in a code repository directory of the same name.

+

Timeline URL Variables

+

An example of a URL using variables is:

+
http://craigslist.org/{org}/{group}/{uuid}/{verb}/{type}/{n}?{c}={now}
+
+

All variables are in the format {variable}. There are several standard variables:

+
    +
  • {now} = short datetime (mm/dd/yyyy format)
    • +
  • {uuid} = uuid
    • +
  • {c} = a single character from a-z and A-Z
    • +
  • {n} = number between 1 and 1000
    • +
+

We can also configure additional variables by adding the following to a browser handler in a timeline:

+
"url-replace": [
+          {"verb": ["order", "enable", "engage"]},
+          {"group": ["operations", "logistics", "medical"]},
+          {"org": ["army", "command", "brigade", "battalion"]},
+          {"type": ["document", "doc", "files", "vault", "filevault"]}
+        ]
+
+

Therefore:

+
https://www.cmu.edu/{org}/{group}/{verb}/{type}/{uuid}/version_{n}?{c}={now}
+
+

might be rendered as:

+
https://www.cmu.edu/command/operations/order/doc/bcc396b5-47d0-4665-93c8-0a314cec13e1/version_55?d=6/21/2022
+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/clicks/index.html b/core/handlers/clicks/index.html new file mode 100644 index 00000000..21c67203 --- /dev/null +++ b/core/handlers/clicks/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Clicks - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Clicks

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/cmd/index.html b/core/handlers/cmd/index.html new file mode 100644 index 00000000..0dbcee7a --- /dev/null +++ b/core/handlers/cmd/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Cmd - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Cmd

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/excel/index.html b/core/handlers/excel/index.html new file mode 100644 index 00000000..5d8d3ec8 --- /dev/null +++ b/core/handlers/excel/index.html @@ -0,0 +1,1363 @@ + + + + + + + + + + + + + + + + + + + + + + Excel - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Excel Configuration

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/index.html b/core/handlers/index.html new file mode 100644 index 00000000..e92f171e --- /dev/null +++ b/core/handlers/index.html @@ -0,0 +1,1406 @@ + + + + + + + + + + + + + + + + + + + + + + Basic Configuration - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Basic Handler Configuration

+

The following is the format for a basic timeline handler:

+
"TimeLineHandlers": [
+    {
+      "HandlerType": "Watcher",
+      "UtcTimeOn": "00:00:00",
+      "UtcTimeOff": "24:00:00",
+      "Loop": true,
+      "TimeLineEvents": [
+        {
+          "Command": "folder",
+          "CommandArgs": [ "path:%HOMEDRIVE%%HOMEPATH%\\Downloads", "size:2000", "deletionApproach:oldest" ],
+          "DelayAfter": 0,
+          "DelayBefore": 0
+        }
+      ]
+    }
+]
+
+

Some of the key-value pairs are self-explanatory, but let's review a few important ones:

+ + + + + + + + + + + + + + + + + + + + + + + + + +
KeyValue
HandlerTypeThe application or major function we want to control. This could be FireFox, the Cmd terminal, or Word.
UtcTimeOnThe time the handler will begin to run. To simulate an agent coming into the office at 0900, we set this to your time zone's UTC value.
UtcTimeOffThe time the handler will stop. To simulate an agent leaving the office at 1700, we set this to your time zone's UTC value.
Looptrue or false - a handler could be repeated or just run one-time.
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/notepad/index.html b/core/handlers/notepad/index.html new file mode 100644 index 00000000..5f349b73 --- /dev/null +++ b/core/handlers/notepad/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Notepad - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Notepad

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/npc_system/index.html b/core/handlers/npc_system/index.html new file mode 100644 index 00000000..262c1f3f --- /dev/null +++ b/core/handlers/npc_system/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + NPCSystem - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

NPCSystem

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/outlook/index.html b/core/handlers/outlook/index.html new file mode 100644 index 00000000..1779df62 --- /dev/null +++ b/core/handlers/outlook/index.html @@ -0,0 +1,1358 @@ + + + + + + + + + + + + + + + + + + + + + + Outlook - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Outlook

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/pidgin/index.html b/core/handlers/pidgin/index.html new file mode 100644 index 00000000..6df7c13a --- /dev/null +++ b/core/handlers/pidgin/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Pidgin - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Pidgin

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/powerpoint/index.html b/core/handlers/powerpoint/index.html new file mode 100644 index 00000000..d5e70df0 --- /dev/null +++ b/core/handlers/powerpoint/index.html @@ -0,0 +1,1363 @@ + + + + + + + + + + + + + + + + + + + + + + PowerPoint - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

PowerPoint Configuration

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/print/index.html b/core/handlers/print/index.html new file mode 100644 index 00000000..e6075276 --- /dev/null +++ b/core/handlers/print/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Print - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Print

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/rdp/index.html b/core/handlers/rdp/index.html new file mode 100644 index 00000000..579f2cfb --- /dev/null +++ b/core/handlers/rdp/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + RDP - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

RDP

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/reboot/index.html b/core/handlers/reboot/index.html new file mode 100644 index 00000000..4e3e1edb --- /dev/null +++ b/core/handlers/reboot/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Reboot - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Reboot

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/sftp/index.html b/core/handlers/sftp/index.html new file mode 100644 index 00000000..b17aaaa1 --- /dev/null +++ b/core/handlers/sftp/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Sftp - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Sftp

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/sharepoint_helper/index.html b/core/handlers/sharepoint_helper/index.html new file mode 100644 index 00000000..7f81640d --- /dev/null +++ b/core/handlers/sharepoint_helper/index.html @@ -0,0 +1,1358 @@ + + + + + + + + + + + + + + + + + + + + + + Sharepoint - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Sharepoint

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/ssh/index.html b/core/handlers/ssh/index.html new file mode 100644 index 00000000..31df3349 --- /dev/null +++ b/core/handlers/ssh/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Ssh - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Ssh

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/watcher/index.html b/core/handlers/watcher/index.html new file mode 100644 index 00000000..fcfaa382 --- /dev/null +++ b/core/handlers/watcher/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Watcher - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Watcher

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/wmi/index.html b/core/handlers/wmi/index.html new file mode 100644 index 00000000..52f93b56 --- /dev/null +++ b/core/handlers/wmi/index.html @@ -0,0 +1,1356 @@ + + + + + + + + + + + + + + + + + + + + + + Wmi - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Wmi

+ + + + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/core/handlers/word/index.html b/core/handlers/word/index.html new file mode 100644 index 00000000..3da8e623 --- /dev/null +++ b/core/handlers/word/index.html @@ -0,0 +1,1363 @@ + + + + + + + + + + + + + + + + + + + + + + Word - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Word Configuration

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/index.html b/index.html new file mode 100644 index 00000000..4b54d2da --- /dev/null +++ b/index.html @@ -0,0 +1,1457 @@ + + + + + + + + + + + + + + + + + + + + GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

The GHOSTS NPC Framework

+

Developed by Carnegie Mellon University's Software Engineering Institute (SEI), The GHOSTS Framework is an open-source (OSS) software framework that enables creating, deploying, and orchestrating complex non-player character (NPC) activity within training, exercise, simulation, and educational environments. Within GHOSTS there are several systems and applications, all of which are modular and extendable to fit a wide array of use cases and needs.

+

If you've never seen GHOSTS in action, watch this quick three-minute introductory video on YouTube:

+ + +

Documentation

+

This is the GHOSTS documentation site for the framework and all of its components. Each major component's detail is accessible from the main navigation. If anything is unclear or you still have questions, please do not hesitate to start a discussion — our community is growing and eager to help!

+

Cyber Ranges and Crucible

+

GHOSTS is typically run on machines within a virtualized network, often referred to as "the range". This network can be as simple or as complex as required for training and exercise purposes.

+

CERT's Cyber Workforce Development (CWD) team has a great deal of experience in building cyber ranges for training and exercise, captured in our technical report Foundation of Cyber Ranges. The report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants.

+
+Run GHOSTS on the Crucible Framework +

Crucible Logo +GHOSTS runs very well within the SEI's Crucible Framework (Source Code and Docs) - which we use extensively for training and exercise here at Carnegie Mellon University (CMU)'s Software Engineering Institute, and particularly, within CERT.

+

Building a sufficiently complex range for training and exercise purposes is often challenging. Crucible is a modular framework for creating, deploying, and managing virtual environments to support training, education, and exercises. Crucible is designed to be easy to use, extensible, and customizable to meet the needs of a wide variety of use cases.

+
+

Philosophy

+

GHOSTS evolved in our quest to create more realistic NPCs within cyberwarfare training and exercise. In 2018, we outlined our thoughts in a technical report entitled GHOSTS in the Machine: A Framework for Cyber-Warfare Exercise NPC Simulation.1 In that report, we outline how the GHOSTS framework accomplishes the creation of simulations in which NPCs realistically represent a vast array of possible encounters and outcomes. We have continued to follow our initial path since. The litmus has always been that if we looked over someone's shoulder while they were using a computer, that is what GHOSTS should look like.2

+

Since then the framework has expanded to include tools that serve content in simulated environments, create NPCs with details about them that we can programmatically use to drive their decision-making, and machine learning agent preference engines. If it is related to replicating human behavior within a cyber training or exercise scenario, we are interested in how GHOSTS can contribute within that space.

+

Reporting Bugs

+

Found a bug? Please report all bugs - including bugs for the individual components - in the cmu-sei/ghosts issue tracker. Include as much detail as possible including steps to reproduce, the specific components involved, and any error messages you may have found.

+

Requesting Features

+

Have a good idea for a new feature? Submit all new feature requests through the cmu-sei/ghosts issue tracker. Include the reasons why you're requesting the new feature and how it might benefit other users.

+

License

+

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.

+

Copyright 2018 Carnegie Mellon University. See the LICENSE.md file for details.

+
+
+
    +
  1. +

    This paper is influenced by our previous paper R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises which outlines a design framework for cyber warfare exercises. It ensures that designs of team-based exercises factor realism into all aspects of the participant experience. Both of these papers are natural extensions to The CERT Approach to Cybersecurity Workforce Development

    +
    2. +
  2. +

    There is also a GHOSTS video presentation from FloCon 2021 that provides a general introduction to the framework. 

    +
    3. +
+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/new/index.html b/new/index.html new file mode 100644 index 00000000..a1ec12f3 --- /dev/null +++ b/new/index.html @@ -0,0 +1,1415 @@ + + + + + + + + + + + + + + + + + + + + + + What's New - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

What's New

+

Welcome to what's new in the GHOSTS framework. Use this page to review the latest changes.

+

GHOSTS Core v7.0

+
    +
  • 10+ significant features built by 6+ contributors!
    • +
  • We surpassed 175 issues/discussions!
    • +
  • These new docs are hosted on GitHub Pages
    • +
  • GHOSTS PANDORA - a new tool for delivering randomized content within a range
    • +
  • GHOSTS PANDORA SOCIAL - a new tool for managing social media content within a range
    • +
+

In the Core Client, v7 Improves:

+
    +
  • Performance
    • +
  • The Clean up of created artifacts
    • +
  • Logging
    • +
  • Cron-like scheduling (in development for all handlers)
    • +
  • New handlers for Firefox and Chrome Browsers
    • +
  • Complete forms
    • +
  • Post payloads (images, files, etc.)
    • +
  • Better UA string handling
    • +
  • SharePoint
    • +
  • Drupal Blog Management
    • +
  • Jabber (XMPP)
    • +
  • RDP
    • +
  • sFTP
    • +
  • SSH
    • +
  • Client Now Supports AutoIT
    • +
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/quickstart/index.html b/quickstart/index.html new file mode 100644 index 00000000..35d98940 --- /dev/null +++ b/quickstart/index.html @@ -0,0 +1,1454 @@ + + + + + + + + + + + + + + + + + + + + + + Quick Start - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

Quick Start

+
+No Compilers Necessary +

This section details the installation and configuration of GHOSTS from precompiled binaries for both the server and the client.

+
+

If you are just checking out the project for the first time and want to see NPCs performing activities, skip to the client section below. Otherwise, it is easier to install the API first and then a client that will connect to that installed API instance.

+

GHOSTS API Server

+

Easy installation requires:

+
    +
  1. Install 🐳 Docker
    2. +
  2. Install Docker Compose
    3. +
  3. +

    We'll use this docker-compose.yml file in the following command block which will download the required containers will automatically. The commands to stand up the GHOSTS API containers is:

    +
    mkdir ghosts-api
+cd ghosts-api
+curl https://raw.githubusercontent.com/cmu-sei/GHOSTS/master/src/Ghosts.Api/docker-compose.yml -o docker-compose.yml
+docker-compose up -d
+
    +
    4. +
  4. +

    Once the command completes, if you open http://localhost:5000/api/home in your browser, you should see the initial API page outlining the version of the install, and a few test machine entries. If this page renders, your API is up, running, and available. If the page does not render, follow the advice in the API troubleshooting section.

    +
    5. +
+

You will still need to set up Grafana. Beware that you must often chown g_data, which is the host location for the Graphana container as listed in the docker-compose file. Otherwise, the Grafana container will just continually restart in error due to insufficient permissions (detailed in API troubleshooting).

+

GHOSTS Clients

+

For any of the clients utilizing the browser, an automation driver is necessary to be included in the same folder as the GHOSTS binary. For Firefox, download the appropriate 🦎 Geckodriver for your version of the browser here. For Chrome, download the appropriate Chromedriver for your version of the browser here.

+

Note there are additional configuration steps for Outlook email automation.

+

The GHOSTS client should typically be run as a specific user, and not as an administrator or root account.

+

Windows Client

+
    +
  1. Your client machine will need to have (at least) the Microsoft DotNet 4.6.1 runtime installed. You do not need the full SDK.
    2. +
  2. Download the latest Windows client.
    3. +
  3. Unzip to your client machine in a directory such as c:\exercise\ghosts. You will need to adjust the configuration in config/application.json for your client to talk to the already installed API server from above.
    4. +
+

Linux Client

+
    +
  1. Your client Linux machine will need to have the latest Microsoft dotnetcore runtime installed (Note that for the GHOSTS client, there are versions for dotnetcoreapp3.1 - this will eventually go away — and dotnet6.0, which is LTS and should stick around for a while). Again, note that you only need the runtime installed, not the full SDK.
    2. +
  2. Download the latest Linux client zip file. Unzip to a folder such as ~/ghosts for the user that you want GHOSTS to run as.
    3. +
+

Note that on Linux machines running the client as root and utilizing web browsing may result in failures due to Gecko/Chromedriver display issues.

+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/search/search_index.json b/search/search_index.json new file mode 100644 index 00000000..e3efcca3 --- /dev/null +++ b/search/search_index.json @@ -0,0 +1 @@ +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"The GHOSTS NPC Framework","text":"

Developed by Carnegie Mellon University's Software Engineering Institute (SEI), The GHOSTS Framework is an open-source (OSS) software framework that enables creating, deploying, and orchestrating complex non-player character (NPC) activity within training, exercise, simulation, and educational environments. Within GHOSTS there are several systems and applications, all of which are modular and extendable to fit a wide array of use cases and needs.

If you've never seen GHOSTS in action, watch this quick three-minute introductory video on YouTube:

"},{"location":"#documentation","title":"Documentation","text":"

This is the GHOSTS documentation site for the framework and all of its components. Each major component's detail is accessible from the main navigation. If anything is unclear or you still have questions, please do not hesitate to start a discussion \u2014 our community is growing and eager to help!

"},{"location":"#cyber-ranges-and-crucible","title":"Cyber Ranges and Crucible","text":"

GHOSTS is typically run on machines within a virtualized network, often referred to as \"the range\". This network can be as simple or as complex as required for training and exercise purposes.

CERT's Cyber Workforce Development (CWD) team has a great deal of experience in building cyber ranges for training and exercise, captured in our technical report Foundation of Cyber Ranges. The report details the design considerations and execution plan for building high-fidelity, realistic virtual cyber ranges that deliver maximum training and exercise value for cyberwarfare participants.

Run GHOSTS on the Crucible Framework

GHOSTS runs very well within the SEI's Crucible Framework (Source Code and Docs) - which we use extensively for training and exercise here at Carnegie Mellon University (CMU)'s Software Engineering Institute, and particularly, within CERT.

Building a sufficiently complex range for training and exercise purposes is often challenging. Crucible is a modular framework for creating, deploying, and managing virtual environments to support training, education, and exercises. Crucible is designed to be easy to use, extensible, and customizable to meet the needs of a wide variety of use cases.

"},{"location":"#philosophy","title":"Philosophy","text":"

GHOSTS evolved in our quest to create more realistic NPCs within cyberwarfare training and exercise. In 2018, we outlined our thoughts in a technical report entitled GHOSTS in the Machine: A Framework for Cyber-Warfare Exercise NPC Simulation.1 In that report, we outline how the GHOSTS framework accomplishes the creation of simulations in which NPCs realistically represent a vast array of possible encounters and outcomes. We have continued to follow our initial path since. The litmus has always been that if we looked over someone's shoulder while they were using a computer, that is what GHOSTS should look like.2

Since then the framework has expanded to include tools that serve content in simulated environments, create NPCs with details about them that we can programmatically use to drive their decision-making, and machine learning agent preference engines. If it is related to replicating human behavior within a cyber training or exercise scenario, we are interested in how GHOSTS can contribute within that space.

"},{"location":"#reporting-bugs","title":"Reporting Bugs","text":"

Found a bug? Please report all bugs - including bugs for the individual components - in the cmu-sei/ghosts issue tracker. Include as much detail as possible including steps to reproduce, the specific components involved, and any error messages you may have found.

"},{"location":"#requesting-features","title":"Requesting Features","text":"

Have a good idea for a new feature? Submit all new feature requests through the cmu-sei/ghosts issue tracker. Include the reasons why you're requesting the new feature and how it might benefit other users.

"},{"location":"#license","title":"License","text":"

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.

Copyright 2018 Carnegie Mellon University. See the LICENSE.md file for details.

  1. This paper is influenced by our previous paper R-EACTR: A Framework for Designing Realistic Cyber Warfare Exercises which outlines a design framework for cyber warfare exercises. It ensures that designs of team-based exercises factor realism into all aspects of the participant experience. Both of these papers are natural extensions to The CERT Approach to Cybersecurity Workforce Development.\u00a0\u21a9

  2. There is also a GHOSTS video presentation from FloCon 2021 that provides a general introduction to the framework.\u00a0\u21a9

"},{"location":"new/","title":"What's New","text":"

Welcome to what's new in the GHOSTS framework. Use this page to review the latest changes.

"},{"location":"new/#ghosts-core-v70","title":"GHOSTS Core v7.0","text":"
  • 10+ significant features built by 6+ contributors!
  • We surpassed 175 issues/discussions!
  • These new docs are hosted on GitHub Pages
  • GHOSTS PANDORA - a new tool for delivering randomized content within a range
  • GHOSTS PANDORA SOCIAL - a new tool for managing social media content within a range

In the Core Client, v7 Improves:

  • Performance
  • The Clean up of created artifacts
  • Logging
  • Cron-like scheduling (in development for all handlers)
  • New handlers for Firefox and Chrome Browsers
  • Complete forms
  • Post payloads (images, files, etc.)
  • Better UA string handling
  • SharePoint
  • Drupal Blog Management
  • Jabber (XMPP)
  • RDP
  • sFTP
  • SSH
  • Client Now Supports AutoIT
"},{"location":"quickstart/","title":"Quick Start","text":"No Compilers Necessary

This section details the installation and configuration of GHOSTS from precompiled binaries for both the server and the client.

If you are just checking out the project for the first time and want to see NPCs performing activities, skip to the client section below. Otherwise, it is easier to install the API first and then a client that will connect to that installed API instance.

"},{"location":"quickstart/#ghosts-api-server","title":"GHOSTS API Server","text":"

Easy installation requires:

  1. Install \ud83d\udc33 Docker
  2. Install Docker Compose

  3. We'll use this docker-compose.yml file in the following command block which will download the required containers will automatically. The commands to stand up the GHOSTS API containers is:

    mkdir ghosts-api\ncd ghosts-api\ncurl https://raw.githubusercontent.com/cmu-sei/GHOSTS/master/src/Ghosts.Api/docker-compose.yml -o docker-compose.yml\ndocker-compose up -d\n

  4. Once the command completes, if you open http://localhost:5000/api/home in your browser, you should see the initial API page outlining the version of the install, and a few test machine entries. If this page renders, your API is up, running, and available. If the page does not render, follow the advice in the API troubleshooting section.

You will still need to set up Grafana. Beware that you must often chown g_data, which is the host location for the Graphana container as listed in the docker-compose file. Otherwise, the Grafana container will just continually restart in error due to insufficient permissions (detailed in API troubleshooting).

"},{"location":"quickstart/#ghosts-clients","title":"GHOSTS Clients","text":"

For any of the clients utilizing the browser, an automation driver is necessary to be included in the same folder as the GHOSTS binary. For Firefox, download the appropriate \ud83e\udd8e Geckodriver for your version of the browser here. For Chrome, download the appropriate Chromedriver for your version of the browser here.

Note there are additional configuration steps for Outlook email automation.

The GHOSTS client should typically be run as a specific user, and not as an administrator or root account.

"},{"location":"quickstart/#windows-client","title":"Windows Client","text":"
  1. Your client machine will need to have (at least) the Microsoft DotNet 4.6.1 runtime installed. You do not need the full SDK.
  2. Download the latest Windows client.
  3. Unzip to your client machine in a directory such as c:\\exercise\\ghosts. You will need to adjust the configuration in config/application.json for your client to talk to the already installed API server from above.
"},{"location":"quickstart/#linux-client","title":"Linux Client","text":"
  1. Your client Linux machine will need to have the latest Microsoft dotnetcore runtime installed (Note that for the GHOSTS client, there are versions for dotnetcoreapp3.1 - this will eventually go away \u2014 and dotnet6.0, which is LTS and should stick around for a while). Again, note that you only need the runtime installed, not the full SDK.
  2. Download the latest Linux client zip file. Unzip to a folder such as ~/ghosts for the user that you want GHOSTS to run as.

Note that on Linux machines running the client as root and utilizing web browsing may result in failures due to Gecko/Chromedriver display issues.

"},{"location":"advanced/","title":"GHOSTS Advanced Features Overview","text":"

The SEI is a research institute, and so we often are thinking about how to use GHOSTS in new ways to drive insight for our customers. Some of this work makes it here, with the caveat that it might be early beta editions or require some amount of engineer hand-holding in its current state. Some call it pre-release, we call it advanced features.

"},{"location":"advanced/cyclone/","title":"GHOSTS CYCLONE Overview","text":"Unreleased

Coming soon

"},{"location":"advanced/enchanter/","title":"GHOSTS ENCHANTER Overview","text":"Unreleased

Coming soon

"},{"location":"advanced/necromancer/","title":"GHOSTS NECROMANCER Overview","text":"Unreleased

Coming soon

"},{"location":"animator/","title":"GHOSTS ANIMATOR Overview","text":"GHOSTS ANIMATOR Source Code

The GHOSTS ANIMATOR Source Code Repository is hosted on GitHub

Animator brings NPCs to life in two ways:

  1. Initial Creation

    Animator creates the initial NPC profile, including details such as name, address, career, finances, and family members. Based on configuration, it can place users in a multi-level organizational structure, and establish relationships between users.

  2. Animation Jobs

    Via jobs that can be run during training and exercise events, Animator can update the NPC's preferences, beliefs, and relationships. This enables dynamic NPCs that change over time.

At its core, Animator is a realistic user detail generator. Its primary function is to create sufficiently realistic identities and accompanying verbose portfolios of personal information. Each generated user, or NPC (Non-Player Character) as we call them, has numerous categories of details associated with them, and a great deal of metadata that define who they are. Each piece of information is generated using sourced datasets in an attempt to distribute characteristics realistically. We like to say it creates, \"NPCs so real, they sell for a premium on the dark web.\"1

"},{"location":"animator/#quick-start","title":"Quick Start","text":"
git clone <https://github.com/cmu-sei/GHOSTS-ANIMATOR>\ncd ghosts-animator/src\ndocker build . -t ghosts/animator\ndocker compose up -d\n

or if you don't want to build and just run the latest docker-compose file:

mkdir ghosts-animator\ncd ghosts-animator\ncurl https://github.com/cmu-sei/GHOSTS-ANIMATOR/blob/master/src/docker-compose.yml -o docker-compose.yml\ndocker compose up -d\n

Now browse to http://localhost:5000/

"},{"location":"animator/#using-animator-to-create-npcs","title":"Using Animator to Create NPCs","text":"

The data generated by Animator can be leveraged in multiple areas, but is particularly applicable in four key areas:

  1. Training Machine Learning Algorithms - Animator creates larges sets of hyper-realistic user data. It can be leveraged to generate data sets that can be used for training machine learning algorithms. This enables the rapid training of anthropology-related ML algorithms that can leverage one or more of the hundred-plus data points generated by Animator.2

  2. Honeypot Payloads - NPC details generated by Animator are designed to be as realistic as possible given the available relevant open source information. This makes the user data convincingly real while still being completely fabricated. Therefore, the data is ideal for use in applications like honeypots, where the goal is to trick an attacker into thinking they are compromising an asset with real user data. This data is also perfect for any other application that would benefit from extremely realistic user information.

  3. Insider Threat Modeling - Each Animator NPC is given an Insider Threat Profile. This profile determines how likely it is that the NPC is an insider threat by incorporating the CDSE's Insider Threat Potential Indicators. As we continue developing Animator, it will be possible to configure NPCs to be more or less likely to be insider threats based on factors like their finances, criminal history, foreign contacts, and mental health.

  4. Social Network and Relationship Modeling - Animator can establish relationships between the NPCs it generates. As we increase the fidelity of inter-NPC relationships, Animator NPCs create larger and more realistic social networks. By leveraging Animator's ability to quickly generate thousands of inter-related NPCs, Animator can easily be used to perform social networking modeling and research.

"},{"location":"animator/#how-creating-npcs-works","title":"How Creating NPCs Works","text":"
  • Once Animator receives a request to create NPCs, it starts by creating an empty NPC Profile.
  • Animator then iterates through all 100+ data points for the NPC and generates synthetic data to be associated with that NPC.
  • Example data points are name, address, mental health, career, finances, and family members.
  • Data points are either generated at random or are generated using weighted randomization. Weighted randomization involves leveraging verified datasets to influence the distribution of randomly generated data points to match much more closely to reality.
  • Animator will complete this process for as many users as were selected by the request. This information can be exported through the API, or stored in a local database

Animator currently supports storing NPC data in a local Mongo Database. This feature is still being actively improved.

  1. The GHOSTS development team highly recommends Nick Bilton's book American Kingpin for insight into the early days of the dark web.\u00a0\u21a9

  2. A key developer from the Animator team went on to a position in the SEI's AI division. AI models need data. You connect the dots.\u00a0\u21a9

"},{"location":"animator/jobs/","title":"Animation Jobs","text":"

So, now we have Animator-generated NPCs, and they have profile information and preferences.

Animator has a job system that might enables us to push our simulation further:

  • What motivates an agent?
  • What does an agent know and how did they learn that? How does their knowledge grow over time?
  • What relationships does an agent have off-network? How might this influence what they do on the computer?
  • What does an agent believe? How did they come to that belief?

Jobs operate on a \"per cycle\" or \"step\" basis. For each cycle, the job processes a list of agents, and the actions or determinations programmed for each.

"},{"location":"animator/jobs/#decision-making-framework","title":"Decision-Making Framework","text":"

We can use any combination of the following to drive agent decision-making:

"},{"location":"animator/jobs/#motivation","title":"Motivation","text":"

We implement the Reiss Motivational Profile (RMP) - which is a mathematical framework for reasoning about agent comparative motivations - agent A is twice as motivated by X than agent B - that is baselined every few years.

"},{"location":"animator/jobs/#relationships","title":"Relationships","text":"

Agents build relationships with other agents in the cohort. These get better or worse over time.

How this works is that each agent has the potential to interact with n other agents (they can also potentially transfer knowledge as a result). The more an agent knows about a particular subject, maybe the more likely they are to transfer information to another agent.

"},{"location":"animator/jobs/#knowledge","title":"Knowledge","text":"

Agents build knowledge across an array of subjects that may alter their preferences. Within Animator, there are two main ways to learn:

  • Independently through study or by utilizing resources such as books or videos
  • Through relationships with others at the coffee counter, through mentorship, or group-based learning (a classroom or team for example). Here NPCs learn via interactions with other agents, and the system tracks what was learned and from whom.
"},{"location":"animator/jobs/#belief","title":"Belief","text":"

What an agent believes can directly influence their behavior. Beliefs shape understanding of the world and guide decision-making and problem-solving. Agents come to belief utilizing Bayes Theorem, which is a mathematical framework for reasoning about probability of evidence.

So what does this all mean? Here is an example where an agent shares bits of information on social media:

Some tweets contain no insight about the agent. Some disclose some bit of information:

  • Agent knows X fact
  • Agent interacted with Y agent
  • Agent decided to disclose some personal detail Z

Other agents \u2014 and adversaries \u2014 can see and infer from this information!

"},{"location":"animator/run/","title":"Running Animator Animations","text":"

Animator is a simulation of a population of agents. Animator runs in cycles, and for each cycle, the agents make decisions based on their attributes, preferences, motivations, and behaviors.

"},{"location":"animator/run/#setup","title":"Setup","text":"
  • Get the Animator API up and running as outlined here
  • Edit the appsettings.json file to enable Animations:
\"ApplicationSettings\": {\n\"GhostsApiUrl\": \"http://localhost:52388/\",        // this should be root url of your ghosts API server\n\"Animations\": {\n\"IsEnabled\": false,                             // set this to true to enable animation jobs\n\"SocialGraph\": {\n\"IsEnabled\": false,                           // set this to true to enable the entire module (inc. web gui access)\n\"IsInteracting\": false,                       // set this to true to actually run the interactions\n\"MaximumSteps\": 4000,                         // animator stops when it reaches this many steps \n\"TurnLength\": 900,                            // by default, a step is a cpu cycle, the higher this number, the slower the simulation \n\"ChanceOfKnowledgeTransfer\": 0.3,\n\"Decay\": {\n\"StepsTo\": 10,\n\"ChanceOf\": 0.05\n}\n},\n\"SocialSharing\": {\n\"IsEnabled\": false,                          // set this to true to enable the entire module (inc. web gui access)\n\"IsInteracting\": false,                      // set this to true to actually run the interactions\n\"IsSendingTimelinesToGhostsApi\": false,      // set this to true to actually send the timeline commands to the ghosts API\n\"IsChatGptEnabled\": false,                   // this is still under development, here be dragons\n\"SocializerUrl\": \"http://socializer.com\",    // change this to the root url of your in-game social server\n\"MaximumSteps\": 14000,\n\"TurnLength\": 9000                           // by default, a step is a cpu cycle, the higher this number, the slower the simulation \n},\n\"SocialBelief\": {\n\"IsEnabled\": false,                         // set this to true to enable the entire module (inc. web gui access)\n\"IsInteracting\": false,                     // set this to true to actually run the interactions\n\"MaximumSteps\": 14000,\n\"TurnLength\": 9000\n}\n}\n},\n...\n

After you update the appsettings.json file, you will need to restart the Animator API server via:

docker restart animator-api\n
"},{"location":"content/","title":"GHOSTS Content Servers Overview","text":"

GHOSTS content servers are an evolving part of the framework. They exist for several reasons:

  1. On an air-gapped network, where we are simulating some subset of the internet, we want more types of browsable content within that range \u2014 documents, spreadsheets, presentations, pdf files, streamed movies, and the like.
  2. We want a broad range of URLs within a site we are representing in the range.
  3. We want to simulate a document store, such as SharePoint, OneCloud, or similar, but without the hassle of installing and maintaining those actual systems.

Research by Global WebIndex claims that globally, 59% of the world's population uses social media, and that the average daily use is 2 hours and 29 minutes (July 2022).

"},{"location":"content/#air-gaps","title":"Air-gaps","text":"

Many ranges are air-gapped, which means they have no access to the wider internet. In these cases, recreating a reasonable facsimile of the internet is key to the training experience. While there are many systems that do this well, we often want to augment the scenario with a wider array of URL traffic, or we want to introduce more of certain kinds of content going across the wire. PANDORA was created to address these concerns. Shortly later, we added a social server as well.

"},{"location":"content/#having-to-know-valid-urls","title":"Having to know valid URLs","text":"

The other problem is that the internet works by the client having to \u201cknow\u201d the location of some resource via:

  • Actually knowing the URL
  • Being referred from another page - I might know google.com and search for something, which gives me a reference to another page I was not aware of previously.
  • Inferring the URL from some like resource - If one is poking around and looking for something on a server, a slight change of URL often gives hints that get you to where you wanted to go.
  • Guessing - the proliferation of .com domains means that for something new, it's often fruitful to just try that thing.com and see if it works!

The problem here is that currently, clients must know valid URLs that actually exist out in a simulated greyspace (via TopGen, GreyBox, or otherwise), which limits the array of potential requests and creates range work to maintain. So we created GHOSTS PANDORA, which serves whatever clients ask for - if the request is for a doc file, the server creates a random doc file on the fly \u2014 in memory \u2014 and serves it back to the client. Pandora serves the following content types:

  • html
  • css
  • js
  • doc|x
  • ppt|x
  • xls|x
  • mp4
  • pdf
  • gif
  • jpg
  • png
  • zip
  • msi
  • iso
  • other binary formats, etc.

Pandora has generic request handlers for each HTTP verb (GET, POST, etc.) and is deployed as a simple docker container. We configure it to handle a particular IP on a multiple-IP-enabled host machine. It works off any URL, but part of the solution involved introducing more randomness in the GHOSTS clients as well. Those clients now support a creative parameter-built URL system that can be configured to look something like this:

sharepoint.hello.com/{org}/{report_type}/{uuid}/{file_name}.{file_type}\n

These variables are processed at runtime, and produce a final url that might look something like:

sharepoint.hello.com/operations/maintenance/80e6af4e-5107-43b5-832f-0d8027efbd76/report.docx\n

In addition, Pandora supports \u201cbad\u201d payloads via configuration. Here the server responds to specific configured URLs to deploy planted injects. So clients can download malware in an exercise in a manner that is hard to differentiate based on URLs already seen within the event. The configuration looks like:

[payloads]\n1=/bad/payload/url/,some_bad.zip,application/zip\n

Where id=url,payload file, MIME response type.

"},{"location":"content/pandora/","title":"GHOSTS PANDORA SERVER Overview","text":"Pandora is part of GHOSTS

Pandora is within the GHOSTS Source Code Repository hosted on GitHub.

GHOSTS PANDORA is a web server that responds to a myriad of request types with randomized content generated in real-time. Used in conjunction with GHOSTS NPCs, the two can provide for agents that are periodically downloading content other than simple HTML and associated image, CSS, and js files.

"},{"location":"content/pandora/#running-this-server","title":"Running this server","text":""},{"location":"content/pandora/#as-a-docker-container","title":"As a Docker Container","text":"

Docker is the preferred way to run Pandora - mostly because this is how we run and test it before version releases.

  1. Review the repository docker-compose.yml file
  2. Run the following in your terminal 
mkdir ghosts-pandora\ncd ghosts-pandora\ncurl https://raw.githubusercontent.com/cmu-sei/GHOSTS/master/src/ghosts.pandora/docker-compose.yml -o docker-compose.yml\ndocker-compose up -d\n
"},{"location":"content/pandora/#bare-metal","title":"Bare metal","text":"

This assumes the host server is a common Linux distribution. For images to render correctly, PIL or the more recent Pillow library is necessary. See here for more information on Pillow installation and configuration.

  1. Using a Python 3 distribution >= 3.6.2
  2. In the terminal run: pip install -r requirements.txt
  3. Then run python app.py
"},{"location":"content/pandora/#capabilities","title":"Capabilities","text":""},{"location":"content/pandora/#handling-requests-by-directory","title":"Handling requests by directory","text":"
  • /api - All requests beginning with /api automatically respond with json. This includes:
    • /api/users
    • /api/user/a320f971-b3d9-4b79-bb8d-b41d02572942
    • /api/reports/personnel
  • /csv - All requests beginning with /csv automatically respond with csv. Like the above, this includes urls such as:
    • /csv/users
    • /csv/user/winx.jalton
    • /csv/reports/HR/payroll
  • /i, /img, /images - All requests beginning with these directories automatically respond with a random image of type [gif, jpg, png]. Examples:
    • /i/v1/a9f6e2b7-636c-4821-acf4-90220f091351/f8f8b1f0-9aa5-4fc7-8880-379e3192748e/small
    • /images/products/184f3515-f49b-4e07-8c8b-7f978666df0e/view
    • /img/432.png
  • /pdf - All requests respond with a random pdf document. Examples:
    • /pdf/operations/SOP_Vault/a7f48bd5-84cb-43a1-8d3d-cd2c732ddff6
    • /pdf/products
  • /docs - All requests respond with a random word document
  • /slides - All requests respond with a random powerpoint document
  • /sheets - All requests respond with a random excel document
"},{"location":"content/pandora/#handling-requests-by-type","title":"Handling requests by type","text":"

For requests indicating a specific file type, there are several specific handlers built to respond with that particular kind of file, such as:

  • .csv
  • Image requests [.gif, .ico, .jpg, .jpeg, .png]
  • .json
  • Office document requests
  • .doc, .docx
  • .ppt, .pptx
  • .xls, .xlsx
  • .pdf

So that a URL such as /users/58361185-c9f2-460f-ac45-cb845ba88574/profile.pdf would return a pdf document typically rendered right in the browser.

All unhandled request types, urls without a specific file indicator, or requests made outside specifically handled directories (from the preceding section) are returned as html, including:

  • /docs/by_department/operations/users
  • /blog/d/2022/12/4/blog_title-text
  • /hello/index.html
"},{"location":"content/pandora/#hiding-malicious-payloads-for-red-teaming","title":"Hiding malicious payloads for red-teaming","text":"

Pandora also can hide payloads in a particular request for things like red-teaming and such. This is done in the configuration file, and looks like this:

[payloads]\n1=/1/,a.zip,application/zip\n2=/2/users,b.zip,application/zip\n3=/3/some/report/url,c.zip,application/zip\n

Each record must be an incrementing integer with no duplication. The values are:

  • The URL that this payload responds to
  • The local file (stored in ./payloads/) to be returned
  • The MIME type of the response

So for 1 in the example above, requests to /1/ return the a.zip file as an application/zip file.

"},{"location":"content/social/","title":"GHOSTS PANDORA SOCIAL Overview","text":"PANDORA SOCIAL is still very early beta

Here be dragons

The place where GHOSTS agents come to share their thoughts and information.

In the spirit of the original PANDORA, this server also responds to a very broad array of URLs but enables clients to POST/PUT/DELETE to it as well, for example:

Request Response POST /images responds with a url to the saved image file POST / responds with a randomly-generated streamed video POST /users/michelle_smith/af2d00aa-4a89-4af3-baff-1746b556e7a1/ responds with a reply to the original user's social post"},{"location":"core/api/","title":"GHOSTS Core API Overview","text":"GHOSTS Source Code

The GHOSTS Source Code Repository is hosted on GitHub.

The GHOSTS API enables the control and orchestration of non-player characters (NPCs) within a deployment. It supports logging, reporting, and managing individual, groups of, or entire deployments of client installs.

"},{"location":"core/api/#installation","title":"Installation","text":"
  1. Install \ud83d\udc33 Docker
  2. Install Docker Compose
  3. Run the following commands - we'll use this docker-compose.yml file
mkdir ghosts\ncd ghosts\ncurl https://raw.githubusercontent.com/cmu-sei/GHOSTS/master/src/Ghosts.Api/docker-compose.yml -o docker-compose.yml\ndocker-compose up -d\n

The required containers will be downloaded and configured automatically.

Once the last command completes, if you open http://localhost:5000/api/home in your browser, you should see the initial API page outlining the version of the install, and a few test machine entries. If this page renders, your API is up, running, and available.

You will still need to set up Grafana. Beware that you must often chown the host location of the container as listed in the docker-compose file or the container will just continually restart in error due to insufficient permissions.

"},{"location":"core/api/#configuring-the-api","title":"Configuring the API","text":"

The API generally has good defaults to get you up and running quickly, but there are some considerations in the appconfig.json file:

    \"ClientSettings\": {\n\"OfflineAfterMinutes\": 30, ...\n\"MatchMachinesBy\": null,\n

Can be fqdn|host|resolvedhost|null - null tells the API to match incoming requests with machine records by the machine name. For installations where multiple domains are reporting into the same API, you probably want to use FQDN in order to avoid machines being duplicated.

\"QueueSyncDelayInSeconds\": 10,\n\"NotificationsQueueSyncDelayInSeconds\": 10,\n

This is how often the synch job runs. Incoming machine requests are not real-time in order to best bundle like records together.

"},{"location":"core/api/#configuring-grafana","title":"Configuring Grafana","text":"
  • Grafana will be running (if containerized) on port 3000, and we can access it via the same URL we use for the API.
  • The default login is admin/admin.
  • The first step is to set up a datasource named \"ghosts\" to the ghosts Postgres database.
  • Now import your choice of the grafana json files in this repository. It creates the default GHOSTS dashboard.
"},{"location":"core/api/#webhooks","title":"Webhooks","text":"

The GHOSTS API provides webhook callbacks based on the configuration on the endpoint: /api/webhooks. The payload for creating a webhook is in the format:

{\n\"status\": 0,\n\"description\": \"some description\",\n\"postbackUrl\": \"http://localhost/endpoint:port\",\n\"postbackMethod\": 0, (0 == get, 1 == post)\n\"postbackFormat\": \"see below\"\n}\n

Payloads can be any format \u2014 here is a sample:

{\n'machine':'[machinename]',\n'created':'[datetime.utcnow]',\n'type':'[messagetype]',\n'payload':'[messagepayload]'\n}\n

On send, the payload will be converted into the correct JSON format:

{\n\"machine\":\"some_guid\",\n\"created\":\"some_datetime\",\n\"type\":\"some_message\",\n\"payload\":\"some_payload\"\n}\n

If the postback method is POST, the payload will be sent as the message body. If the postback method is GET, the payload will be sent as part of the querystring value ?message=payload.

The following events are reported via webhooks:

  1. Timeline delivered (with the timeline that was delivered as payload) to a machine via API (original API posting of timeline only holds timeline in wait - the client still must check-in in order for that timeline to be delivered)
  2. Machine requested updates (\"checked in\") from API
  3. Machine posted results to API
"},{"location":"core/api/#troubleshooting","title":"Troubleshooting","text":"

Is the API up and running?

  • Go to /api/home in the browser, it should return the current API version and the number of machines and groups under management. If it says relationship not found, restart the API application and it should create the database automatically.
  • Run docker ps --all and see that all containers are running normally. If one or more is not running, look at the logs for that machine via docker logs [machine name].

The ClientId, ClientResults, and other Client* endpoints are failing.

The Client* endpoints are for the Clients to use only. There are specific header values set by the client in the request that is used to authenticate the request. If you are not using the client, you will not have these headers set, and these endpoints will fail.

"},{"location":"core/client/","title":"GHOSTS Core Client Overview","text":"GHOSTS Source Code

The GHOSTS Source Code Repository is hosted on GitHub.

The GHOSTS client simulates what anyone might do at a computer given their particular role or membership within some team. It creates documents, browses websites, downloads files, and uses all sorts of popular applications on many versions of Windows and Linux machines. Whether you're a friendly administrator or a powerful cyber adversary, GHOSTS can replicate your expected behavior.

GHOSTS has many use cases in cyber training and exercises, most notably for bringing non-player characters (NPCs) to life, but it can also be used for other purposes where realistic activity on a computer or network is needed - testing or generating datasets, for example.

Do I need the API?

Although clients are fully functional without the API server, the latter enables logging, reports, and remote administration capabilities. Without the API, changes to clients must be managed in some other manner.

The client's configuration and command system are file-based, so if you do not wish to use the API, you can manage these through some other tool, such as Ansible or similar. All of these files are under the client's install location.

Run as the NPC you're representing

The GHOSTS client should typically be run as a user, and not as administrator or root - training or exercising teams will notice this immediately.

"},{"location":"core/client/#the-windows-client","title":"The Windows Client","text":"

GHOSTS on Windows (Win10 and Win7 currently supported) is a .NET Console application that performs user activity on client workstations - web browsing, working with office documents, using the command prompt or PowerShell, etc. Our team typically installs the client in an out-of-game directory (c:\\exercise\\ghosts\\), where no event or injects will originate. It is recommended you verify one working client before deploying to multiple machines. You will need the base URL from the API installation for the client to communicate home.

"},{"location":"core/client/#windows-installation","title":"Windows Installation","text":"

  • Your client Windows machine will need to have (at least) the Microsoft DotNet 4.6.1 runtime installed . Again, note that you only need the runtime, not the full SDK. We continue to use 4.6.1 on Windows to maintain backward compatibility.

  • Download the appropriate latest client

Unzip to your client machine in a directory such as c:\\exercise\\ghosts. You will need to adjust the configuration in config/application.json for your client to talk to your an installed instance of the GHOSTS API server.

Additional configuration required for web browsing

For any client utilizing the Firefox or Chrome web browser, an automation driver is necessary to be included in the same folder as the GHOSTS binary. For Firefox, download the appropriate \ud83e\udd8e\u00a0 Geckodriver for your version of the browser here . For Chrome, download the appropriate Chromedriver for your version of the browser here .

Additional configuration required for email

Using the Windows client email functions requires the use of Redemption which provides robust Outlook automation. The full Redemption library should be found in /lib.

"},{"location":"core/client/#linux-client","title":"Linux Client","text":"

Your client Linux machine will need to have the latest Microsoft dotnetcore runtime installed (Note that for the GHOSTS client, there are versions for dotnetcoreapp3.1 - this will eventually go away \u2014 and dotnet6.0, which is long term support (LTS) and will stick around for a while). Again, note that you only need the runtime installed, not the full SDK.

"},{"location":"core/client/#linux-installation","title":"Linux Installation","text":"
  • Download the latest Linux client

Unzip to a folder such as ~/ghosts for the user that you want GHOSTS to run as.

Note that on Linux machines running the client as root and utilizing web browsing may result in failures due to Gecko/Chromedriver display issues.

"},{"location":"core/client/#client-directory-structure","title":"Client Directory Structure","text":"Do not copy the instance folder

You should never copy the instance folder from one machine to another.

Folder Description config/ configuration files are stored here. instance/ generated files and information relative to this particular installed instance of ghosts is stored here. This folder should never be copied from one machine to another lib/ third-party libraries used by ghosts are stored here logs/ output logs for the installed instance (logs/app.log), and logs that are transferred to the server (logs/clientupdates.log)"},{"location":"core/client/#configuration-quick-start","title":"Configuration Quick Start","text":"

After unzipping the GHOSTS client, we can simply double-click it to run. Note that the console window likely printed a few messages, but then disappeared. This is normal, in production mode GHOSTS hides itself. We can see it in the Windows Task Manager, however, and we can kill the process from there. We can also run the included kill-ghosts.bat file that closes the application and any applications it might control.

Beyond this initial step of verifying that the client will run, there are two files that we might need to adjust to fit many deployments:

"},{"location":"core/client/#applicationjson","title":"application.json","text":"

In this file, often all we need to change are the URLs for the API, IdUrl, ClientResultsUrl, ClientUpdatesUrl, and the like. Change the hostname to your installed API location, and GHOSTS should check in as expected.

{\n\"IdEnabled\": true,                                                      //enabled in order to command and control from api (C2) server\n\"IdUrl\": \"http://yourapiurl.com/api/clientid\",                          //url for API endpoint to get clientid\n\"ClientResultsEnabled\": true,                                           //enabled to report results to C2\n\"ClientResultsUrl\": \"http://yourapiurl.com/api/clientresults\",          //url for API endpoint to report results\n\"ClientResultsCycleSleep\": 90,                                          //report results every x ms\n\"ClientUpdatesEnabled\": true,                                           //enabled to get updates from C2\n\"ClientUpdatesUrl\": \"http://yourapiurl.com/api/clientupdates\",          //url for API endpoint to get updates\n\"ClientUpdatesCycleSleep\": 90,                                          //check for updates every x ms\n\"Survey\": {                                                             //survey is a local report of processes running, etc.\n\"IsEnabled\": true,                                                  //on/off\n\"Frequency\": \"once\",                                                //how often to survey\n\"MaxAgeInHours\": 168,                                               //how long to wait until new survey\n\"OutputFormat\": \"indent\"                                            //compact/fancy(indent)\n},\n\"HealthIsEnabled\": true,                                                //enable local health checks\n\"HandlersIsEnabled\": true,                                              //enable local timeline activity\n\"ChromeExtensions\": \"\",                                                 //comma separated local extensions (used for injects in the past)\n\"FirefoxInstallLocation\": \"\",                                           //geckodriver needs this for non-standard installs (is pesky)\n\"FirefoxMajorVersionMinimum\": 48,                                       //geckodriver is picky about versions\n\"OfficeDocsMaxAgeInHours\": 6,                                           //cleanup kills docs in the documents folder older than this setting\n}\n
"},{"location":"core/client/#timelinejson","title":"timeline.json","text":"

The other file we may want to adjust is the default timeline. This is what the agent does all day, including browsing the internet, creating documents, and similar. The defaults hopefully give you a good idea of what is possible, and of course, the array of configurations here is endless - be creative!

The primary item is the HandlerType. This tells GHOSTS to run a command (Command), use Firefox to browse an array of websites (BrowserFirefox), create Excel documents (Excel) and so on. Some of the other items related to a handler's configuration are:

  • Initial: The initial command for a handler to execute. For a web browser, you might enter either a URL or \"about:blank\".
  • UtcTimeOn | UtcTimeOff: \"00:00:00\": \"24:00:00\" to not shut off. Otherwise, enter an on and an off time to simulate things such as office hours of 9-5, etc. There are 30 minutes of jitter plus or minus from the time entered.
  • Loop: Set this to true to continue to execute this same command on a loop, or false to execute something just one time.
{\n\"HandlerType\": \"Command\",\n\"Initial\": \"\",\n\"UtcTimeOn\": \"00:00:00\",\n\"UtcTimeOff\": \"24:00:00\",\n\"Loop\": \"True\",\n\"TimeLineEvents\": [\n{\n\"Command\": \"NETSTAT\",    \"CommandArgs\": [],\n\"DelayAfter\": 900000,\n\"DelayBefore\": 0\n}\n]\n}\n

To access a network share file, the command might be: net use X:\\SERVER\\Share

To RDP to another machine: mstsc.exe {ConnectionFile | /v:ServerName[:Port]} [/console] [/f] [/w:Width/h:Height]

/v - specifies the remote computer and port (optional) you wish to connect to /console \u2013 connects to the console of a Windows Server 2003 based system /f \u2013 starts the remote desktop connection in full screen mode /w & /h \u2013 specifies the width and height of the remote desktop connection

Actions can also be created for standard copy/move/deletion of files via their respective commands.

Chrome

We have to pass the browser window an initial value. If we don't want it to go anywhere at start, we could pass about:blank, otherwise we'd pass a url. These can be http or https.

{\n\"HandlerType\": \"BrowserChrome\",\n\"Initial\": \"http://google.com\",\n\"UtcTimeOn\": \"00:00:00\",\n\"UtcTimeOff\": \"24:00:00\",\n\"Loop\": \"True\",\n\"TimeLineEvents\": [\n{\n\"Command\": \"random\",\n\"CommandArgs\": [\n\"http://google.com\",\n\"http://facebook.com\",\n],\n\"DelayAfter\": 1000,\n\"DelayBefore\": 0\n}\n]\n}\n

Excel, PowerPoint, Word

{\n\"HandlerType\": \"Word\",\n\"Initial\": \"\",\n\"UtcTimeOn\": \"00:00:00\",\n\"UtcTimeOff\": \"24:00:00\",\n\"Loop\": \"True\",\n\"TimeLineEvents\": [\n{\n\"Command\": \"create\",\n\"CommandArgs\": [ \"%homedrive%%homepath%\\\\Documents\" ],\n\"DelayAfter\": 900000,\n\"DelayBefore\": 0\n}\n]\n}\n
"},{"location":"core/client/#trackables","title":"Trackables","text":"

For specific Timeline Events where the outcome is needed to be tracked, like for example, a client machine spawned inject, use a Trackable (via TrackableId in the following example):

{\n\"TimeLineHandlers\": [\n{\n\"HandlerType\": \"BrowserChrome\",\n\"Initial\": \"about:blank\",\n\"UtcTimeOn\": \"00:00:00\",\n\"UtcTimeOff\": \"24:00:00\",\n\"Loop\": false,\n\"TimeLineEvents\": [\n{\n\"Command\": \"browse\",\n\"CommandArgs\": [ \"https://dl.dafont.com/dl/?f=italian_breakfast\" ],\n\"DelayAfter\": 0,\n\"DelayBefore\": 0\n},\n{\n\"Command\": \"download\",\n\"CommandArgs\": [ \"//a[contains(@class, 'dl')]\" ],\n\"TrackableId\": \"<guid id from trackables table/>\",\n\"DelayAfter\": 0,\n\"DelayBefore\": 0\n}\n]\n},\n{\n\"HandlerType\": \"Command\",\n\"Initial\": \"\",\n\"UtcTimeOn\": \"00:00:00\",\n\"UtcTimeOff\": \"24:00:00\",\n\"Loop\": false,\n\"TimeLineEvents\": [\n{\n\"Command\": \"cd %homedrive%%homepath%\\\\Downloads\",\n\"CommandArgs\": [\n\"powershell expand-archive -Path italian_breakfast.zip -destinationpath x\",\n\"cd x\",\n\"dir\"\n],\n\"TrackableId\": \"<guid id from trackables table/>\",\n\"DelayAfter\": 10,\n\"DelayBefore\": 10000\n}\n]\n}\n]\n}\n
"},{"location":"core/client/#troubleshooting","title":"Troubleshooting","text":"

Clients aren't running (immediately exiting, throwing copious exceptions, or similar)

  • Is the dotnet framework runtime 4.x installed on the machine?
  • If GPO is doing white-listing of what apps can run, is ghosts.exe white-listed?
  • Will the client run by simply double-clicking on the exe?
  • Does it report anything to the windows application event logs?
  • What's in logs/app.log?
  • Is the ghosts executable set to execute automatically when the machine restarts?

Clients aren't reporting their activity to the API

  • Is the client running correctly? (if not, see above)
  • Is there entries in the logs/clientupdates.log?
  • If there are, is the file too large? (Try removing it, ghosts might be hung trying to process a lot of log data)
  • If the folder instance created? Does the file instance/id.json exist? (If it does and has an ID within, then ghosts has reported home to the api at least once)
  • The file logs/app.log indicating any fatal issues? (Logging can be ratcheted up and down via nlog configuration)

Can I update what clients are doing?

  • Clients operate off their config/timeline.json file and this can be updated via Powershell, Ansible, or other means - it's just a file.
  • Clients can also do just-in-time activities via the instance/timeline/in folder. Anything placed here will be picked up, executed, and moved to the corresponding out folder once complete. This does not affect any activity currently controlled with the default timeline file.

Can I reset a client on a box?

  • Yes, launching a new instance of Ghosts kills the previous one and all associated tasks from the timeline (any instances of Word, PowerShell, etc.). Only one instance of Ghosts will be running on a client box at any time. We can also run the .bat script kill-ghosts.bat included in the distribution to clean everything up.

What is the easiest way to determine the running version of the client?

  • run the version flag: ghosts.exe --version
"},{"location":"core/handlers/","title":"Basic Handler Configuration","text":"

The following is the format for a basic timeline handler:

\"TimeLineHandlers\": [\n{\n\"HandlerType\": \"Watcher\",\n\"UtcTimeOn\": \"00:00:00\",\n\"UtcTimeOff\": \"24:00:00\",\n\"Loop\": true,\n\"TimeLineEvents\": [\n{\n\"Command\": \"folder\",\n\"CommandArgs\": [ \"path:%HOMEDRIVE%%HOMEPATH%\\\\Downloads\", \"size:2000\", \"deletionApproach:oldest\" ],\n\"DelayAfter\": 0,\n\"DelayBefore\": 0\n}\n]\n}\n]\n

Some of the key-value pairs are self-explanatory, but let's review a few important ones:

Key Value HandlerType The application or major function we want to control. This could be FireFox, the Cmd terminal, or Word. UtcTimeOn The time the handler will begin to run. To simulate an agent coming into the office at 0900, we set this to your time zone's UTC value. UtcTimeOff The time the handler will stop. To simulate an agent leaving the office at 1700, we set this to your time zone's UTC value. Loop true or false - a handler could be repeated or just run one-time."},{"location":"core/api/timelines/","title":"Managing Timelines","text":"

One of the primary capabilities of the API is to manage multiple client timelines. Timelines are the mechanism for clients to perform actions on behalf of a user. For example, a client might execute a timeline to browse a website, create a document, or other Handler activities.

Clients are configured to check in periodically with the API to report their current state and to check if any updates are available. We can have the API hold an update for the next time a client, group of clients, or all clients check in. That update will then be processed by the client and the client will report back to the API that the update has been processed. This allows the API to manage the state of the client and to ensure that the client is always up to date. So the process is:

  1. We configure an update for a client or group of clients in the API.
  2. Clients check in and are told that an update is available.
  3. The client processes the update and reports back to the API that the update has been processed.
"},{"location":"core/api/timelines/#configuring-a-timeline-for-a-client","title":"Configuring a Timeline for a Client","text":"

Client timelines are updated via POST to /api/timelines in the following format:

{\n\"machineId\": \"3fa85f64-5717-4562-b3fc-2c963f66afaf\",\n\"type\": 0,\n\"activeUtc\": \"2023-03-08T16:38:04.002Z\",\n\"status\": 0,\n\"update\": {\n\"status\": 0,\n\"timeLineHandlers\": [\n{\n\"handlerType\": 0,\n\"initial\": \"string\",\n\"utcTimeOn\": {\n\"ticks\": 0\n},\n\"utcTimeOff\": {\n\"ticks\": 0\n},\n\"handlerArgs\": {\n\"additionalProp1\": \"string\",\n\"additionalProp2\": \"string\",\n\"additionalProp3\": \"string\"\n},\n\"loop\": true,\n\"timeLineEvents\": [\n{\n\"trackableId\": \"string\",\n\"command\": \"string\",\n\"commandArgs\": [\n\"string\"\n],\n\"delayAfter\": 0,\n\"delayBefore\": 0\n}\n]\n}\n]\n}\n}\n

The key values to consider here are: The machine ID that you want to update, the other key value is the type of timeline. The type is an integer value that represents the type of update. The following are the types of updates that are currently supported:

  • Timeline = 0 // this
  • Health = 1
  • TimelinePartial = 10 // this the agent is currently doing off its default timeline
  • RequestForTimeline = 20
ID Type Description 0 Timeline Replaces the client's default timeline stored within ./config/timeline.json 1 Health This updates a client's health instructions 10 TimelinePartial Does not replace the default timeline, rather this timeline is executed immediately on separate threads from whatever 20 RequestForTimeline Use this to instruct the client to send its current default timeline up to the API

The remainder of the settings are for the timeline - basically what we are doing here is sending a client a new timeline, with the above values to indicate, which machine and what to change in the update node.

"},{"location":"core/handlers/browser/","title":"Web Browser (Firefox|Chrome) Configuration","text":"

A sample timeline for each browser is available in a code repository directory of the same name.

"},{"location":"core/handlers/browser/#timeline-url-variables","title":"Timeline URL Variables","text":"

An example of a URL using variables is: 

http://craigslist.org/{org}/{group}/{uuid}/{verb}/{type}/{n}?{c}={now}\n

All variables are in the format {variable}. There are several standard variables:

  • {now} = short datetime (mm/dd/yyyy format)
  • {uuid} = uuid
  • {c} = a single character from a-z and A-Z
  • {n} = number between 1 and 1000

We can also configure additional variables by adding the following to a browser handler in a timeline:

\"url-replace\": [\n{\"verb\": [\"order\", \"enable\", \"engage\"]},\n{\"group\": [\"operations\", \"logistics\", \"medical\"]},\n{\"org\": [\"army\", \"command\", \"brigade\", \"battalion\"]},\n{\"type\": [\"document\", \"doc\", \"files\", \"vault\", \"filevault\"]}\n]\n

Therefore:

https://www.cmu.edu/{org}/{group}/{verb}/{type}/{uuid}/version_{n}?{c}={now}\n

might be rendered as:

https://www.cmu.edu/command/operations/order/doc/bcc396b5-47d0-4665-93c8-0a314cec13e1/version_55?d=6/21/2022\n
"},{"location":"core/handlers/excel/","title":"Excel Configuration","text":""},{"location":"core/handlers/powerpoint/","title":"PowerPoint Configuration","text":""},{"location":"core/handlers/word/","title":"Word Configuration","text":""},{"location":"spectre/","title":"GHOSTS SPECTRE Overview","text":"GHOSTS SPECTRE Source Code

The GHOSTS SPECTRE Source Code Repository is hosted on GitHub

SPECTRE is our attempt to reduce that agent browsing patterns appear as \"computer random\".1 This module modifies user web browser timelines so that they more closely match that agent's preferences over time. We expect this simple model of ML to be used for other types of agent activity in the future.

Agent browsing patterns are no longer random and match different types of users on a network. These patterns improve over time.

Also, this simple model of ML can now be used for other types of agent activity. This makes for an exciting future on the GHOSTS platform.

Using Machine Learning to Increase NPC Fidelity with Dynamic Preferences Used in Forward-Looking Decisions

As GHOSTS agents make more informed, and hopefully, more complex decisions, there is a need for each agent to have a system of preferences existing at the time the agent is created, and for an ability to update those preferences over time as the agent continues to make decisions and measure the outcome of those decisions afterwards.

SPECTRE provides GHOSTS enables agents to make preferenced decisions and to use the outcome of those decisions to learn and evaluate future choices more intelligently.

"},{"location":"spectre/#how-it-works","title":"How it works","text":"

SPECTRE currently has two components:

"},{"location":"spectre/#preference-engine","title":"Preference Engine","text":"
  1. An administrator creates the types of personas they wish to have GHOSTS agents represent
  2. GHOSTS agents report in their browser history to the GHOSTS C2 API
  3. If the agent has no persona, SPECTRE assigns one at random
  4. The persona assignment randomly creates different preferences for the agent based on persona settings (not unlike character creation in D&D)
  5. Preferences are a preference and its numeric value (-100 to 100) which roughly represents how much an agent likes or dislikes something
  6. Preferences can be any key:value pair, such as: \"sports\":50 \"kali\":35 \"127.0.0.1\":77
  7. Preferences of 0 mean that the agent is indifferent (or has no preference)
  8. All preference history is stored so that in the (near) future we can track an agent's preferences over time
  9. It is assumed that high negative preferences would have agents avoiding those values (e.g. for \"onions\":-100 one would assume an agent is avoiding eating onions at all costs.)
"},{"location":"spectre/#machine-learning","title":"Machine Learning","text":"

The incoming GHOSTS agent browsing activity can be attenuated to individual agent preferences after they are assigned some number of preferences based on default persona profiles. SPECTRE will aggregate this information periodically and perform model training and testing against that browsing activity, and recommend new browsing patterns for that agent to execute. This creates a new activity timeline for the agent. This cycle is referred to as a \"Test\". After any given test, that information would be used to inform the next round of ML testing to be done.

"},{"location":"spectre/#installation","title":"Installation","text":"

SPECTRE installs alongside an existing GHOSTS installation as a separate docker container. With a few configuration changes, you should be up and running in minimal time.

There are only two configuration settings, both contained within appsettings.json:

\"DefaultConnection\": \"Host=localhost;Port=5432;Database=preferences;User Id=ghosts;Password=scotty@1;Pooling=true;Command Timeout=9900\",\n\"GhostsApiUrl\": \"http://localhost:5000\"\n

The first setting is for your connection to a necessary Postgres database, which SPECTRE will use for its operations. It is fine to host this on the same machine or container that you might be using for GHOSTS itself. In this case, either use the same user as GHOSTS or create a new user for SPECTRE.

The second setting is for SPECTRE to access the GHOSTS API endpoints. This is used to get information about machines and to update their timelines, based on SPECTRE findings and executions.

"},{"location":"spectre/#quick-start","title":"Quick Start","text":"

Spectre is rather like an add-on -- it sits alongside the core API and uses that system to get its initial agent information, process their timelines, and then post updated timelines back to the API for dissemination to the clients.

  • There is one setting in the spectre appsettings.json file that may need updating based on the install - it is how Spectre will connect to the GHOSTS Core API: \"GhostsApiUrl\": \"http://host.docker.internal:52388\" \u2014\u00a0update this to your core API host and port.
  • Now go to Spectre's host:port/swagger to bring up the API.
  • GET /Agents will show you what you have under SPECTRE control - at the start, it is likely no agents. We need to sync with core GHOSTS Core API to get its agents into SPECTRE.
  • So, we need to run POST /Agents/sync once to pull the agents in the core API over to SPECTRE.
  • Now Spectre's GET /Agents will show you the same agents from ghosts Core API.
  • You can now run a browse recommendations job.

  1. This work is detailed in the technical report Using Machine Learning to Increase NPC Fidelity. Some of the team also discussed this project in an SEI podcast episode, entitled ML-Driven Decision-Making in Realistic Cyber Exercises.\u00a0\u21a9

"}]} \ No newline at end of file diff --git a/sitemap.xml b/sitemap.xml new file mode 100644 index 00000000..0f8724ef --- /dev/null +++ b/sitemap.xml @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz new file mode 100644 index 00000000..0313cdfd Binary files /dev/null and b/sitemap.xml.gz differ diff --git a/spectre/index.html b/spectre/index.html new file mode 100644 index 00000000..9a99e54c --- /dev/null +++ b/spectre/index.html @@ -0,0 +1,1477 @@ + + + + + + + + + + + + + + + + + + + + + + Spectre - GHOSTS Documentation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + +
+ + + + + + + +
+ +
+ + + + +
+
+ + + +
+
+
+ + + + + + + + +
+
+
+ + + + +
+
+ + + + +

GHOSTS SPECTRE Overview

+
+GHOSTS SPECTRE Source Code +

The GHOSTS SPECTRE Source Code Repository is hosted on GitHub

+
+

SPECTRE is our attempt to reduce that agent browsing patterns appear as "computer random".1 This module modifies user web browser timelines so that they more closely match that agent's preferences over time. We expect this simple model of ML to be used for other types of agent activity in the future.

+

Agent browsing patterns are no longer random and match different types of users on a network. These patterns improve over time.

+

Also, this simple model of ML can now be used for other types of agent activity. This makes for an exciting future on the GHOSTS platform.

+

Using Machine Learning to Increase NPC Fidelity with Dynamic Preferences Used in Forward-Looking Decisions

+

As GHOSTS agents make more informed, and hopefully, more complex decisions, there is a need for each agent to have a system of preferences existing at the time the agent is created, and for an ability to update those preferences over time as the agent continues to make decisions and measure the outcome of those decisions afterwards.

+

SPECTRE provides GHOSTS enables agents to make preferenced decisions and to use the outcome of those decisions to learn and evaluate future choices more intelligently.

+

How it works

+

SPECTRE currently has two components:

+

Preference Engine

+
    +
  1. An administrator creates the types of personas they wish to have GHOSTS agents represent
    2. +
  2. GHOSTS agents report in their browser history to the GHOSTS C2 API
    3. +
  3. If the agent has no persona, SPECTRE assigns one at random
    4. +
  4. The persona assignment randomly creates different preferences for the agent based on persona settings (not unlike character creation in D&D)
    5. +
  5. Preferences are a preference and its numeric value (-100 to 100) which roughly represents how much an agent likes or dislikes something
    6. +
  6. Preferences can be any key:value pair, such as: + "sports":50 + "kali":35 + "127.0.0.1":77
    7. +
  7. Preferences of 0 mean that the agent is indifferent (or has no preference)
    8. +
  8. All preference history is stored so that in the (near) future we can track an agent's preferences over time
    9. +
  9. It is assumed that high negative preferences would have agents avoiding those values (e.g. for "onions":-100 one would assume an agent is avoiding eating onions at all costs.)
    10. +
+

Machine Learning

+

The incoming GHOSTS agent browsing activity can be attenuated to individual agent preferences after they are assigned some number of preferences based on default persona profiles. SPECTRE will aggregate this information periodically and perform model training and testing against that browsing activity, and recommend new browsing patterns for that agent to execute. This creates a new activity timeline for the agent. This cycle is referred to as a "Test". After any given test, that information would be used to inform the next round of ML testing to be done.

+

Installation

+

SPECTRE installs alongside an existing GHOSTS installation as a separate docker container. With a few configuration changes, you should be up and running in minimal time.

+

There are only two configuration settings, both contained within appsettings.json:

+
"DefaultConnection": "Host=localhost;Port=5432;Database=preferences;User Id=ghosts;Password=scotty@1;Pooling=true;Command Timeout=9900",
+"GhostsApiUrl": "http://localhost:5000"
+
+

The first setting is for your connection to a necessary Postgres database, which SPECTRE will use for its operations. It is fine to host this on the same machine or container that you might be using for GHOSTS itself. In this case, either use the same user as GHOSTS or create a new user for SPECTRE.

+

The second setting is for SPECTRE to access the GHOSTS API endpoints. This is used to get information about machines and to update their timelines, based on SPECTRE findings and executions.

+

Quick Start

+

Spectre is rather like an add-on -- it sits alongside the core API and uses that system to get its initial agent information, process their timelines, and then post updated timelines back to the API for dissemination to the clients.

+
    +
  • There is one setting in the spectre appsettings.json file that may need updating based on the install - it is how Spectre will connect to the GHOSTS Core API: "GhostsApiUrl": "http://host.docker.internal:52388" — update this to your core API host and port.
    • +
  • Now go to Spectre's host:port/swagger to bring up the API.
    • +
  • GET /Agents will show you what you have under SPECTRE control - at the start, it is likely no agents. We need to sync with core GHOSTS Core API to get its agents into SPECTRE.
    • +
  • So, we need to run POST /Agents/sync once to pull the agents in the core API over to SPECTRE.
    • +
  • Now Spectre's GET /Agents will show you the same agents from ghosts Core API.
    • +
  • You can now run a browse recommendations job.
    • +
+
+
+
    +
  1. +

    This work is detailed in the technical report Using Machine Learning to Increase NPC Fidelity. Some of the team also discussed this project in an SEI podcast episode, entitled ML-Driven Decision-Making in Realistic Cyber Exercises

    +
    2. +
+
+ + + + + + + + +
+
+ + +
+ +
+ + + +
+
+
+
+ + + + + + + + + \ No newline at end of file diff --git a/stylesheets/extra.css b/stylesheets/extra.css new file mode 100644 index 00000000..34d19a1f --- /dev/null +++ b/stylesheets/extra.css @@ -0,0 +1,3 @@ +:root > * { --md-primary-fg-color: green; } +img[alt="Crucible Logo"] {width:4.5%; float:left; margin-right:7px; } +img[alt="Animator Logo"] {width: 4.5%; } \ No newline at end of file