Differentiating Ghosts From Real Users

[Lachrymosa]

Hello, I am trying to figure out if there is an established process to differentiate ghost generated activity from a real user. I am currently using logstash agent to collect sysmon logs. If an established process is not developed for this, what would you recommend as a best attempt? Really enjoying your project regardless!

[zveltri]

Lachrymosa,

How exactly are you using logstash to collect the data from GHOSTS? We have been contemplating different options. Are you simply installing the program on your API server as well?

[sei-dupdyke]

Hey sorry, I've been taking some PTO and just saw this.

On the host, process traces will show orig from ghosts, but I assume you want network traffic?

On the one hand, the goal is for you to NOT be able to differentiate that traffic. But I did reach out to some contacts here to get a better answer. Pls stand by for a bit until I compile those.

[Lachrymosa]

To clarify better, we're using ghosts within a redteam range. In order to better observe the actual actions of the participating redteams though we were trying to figure out some way to automatically filter out Ghosts generated processes, on host and network. Our current course of action is to have the timeline files given to our observers so that they can look at interesting activity and then cross-reference if it was likely a Ghost or not. If possible, being able to auto-magically filter out such logs by tagging them on ingest would be perfect. As you've stated, the goal is to NOT be able to just tell.