GHOSTS is a realistic user simulation framework for cyber experimentation, training, and exercises, enabling the creation of lifelike non-player characters (NPCs) on Windows and Linux machines. It allows for the simulation of common user activities like document creation, web browsing, and email, enhancing the realism of cyber scenarios for administrators and adversaries alike.

How It Works

GHOSTS operates through a client-server architecture. Clients, installed on target machines, execute configurable tasks simulating user behavior. The API Server manages these clients, orchestrates new tasks, and collects activity data. Version 8.0 transitioned from MongoDB to PostgreSQL and adopted WebSockets for persistent client connections, eliminating polling and enabling real-time activity execution. The integration of ANIMATOR and SPECTRE modules simplifies management and enhances agent capabilities.

Quick Start & Requirements

• Installation: Primarily via docker-compose. Refer to the Installation from distribution binaries guide.
• Prerequisites: Docker and Docker Compose. PostgreSQL is used as the backend database.
• Resources: Version 8.2 introduces GHOSTS LITE, a lightweight client for minimal hardware.
• Documentation: GHOSTS Documentation

Highlighted Details

• Version 8.2 includes a new UI for managing machines, groups, and timelines.
• GHOSTS Shadows now integrates with Large Language Models (LLMs) for enhanced agent activities and interactions.
• GHOSTS LITE offers a resource-efficient version for training and exercises.
• The framework supports both Windows and Linux clients.

Maintenance & Community

• Developed by Carnegie Mellon University's Software Engineering Institute (SEI).
• Issues and feature requests can be submitted via GitHub.
• YouTube demonstration video available.

Licensing & Compatibility

• License: Distribution Statement A (Approved for public release and unlimited distribution). Copyright 2017 Carnegie Mellon University. All Rights Reserved. See LICENSE.md for terms.
• Compatibility: Suitable for public release and unlimited distribution.

Limitations & Caveats

Version 8.0 introduced breaking changes, requiring a fresh install for users migrating from previous versions. Configuration, database, and API endpoints were modified.