GHOST work with Open Office #84
Replies: 2 comments 2 replies
-
|
Hi, I have looked at this in the past, and just took a look again this morning, and here is the continuing issue as I see it (I could be wrong, I am not an expert in OpenOffice (OO))... All of the solutions for automating OO—that I can find—are focused on the document format and not on automating activity within the application itself. I suppose that's fine if all we want to see are documents being created, changed, etc—but, thinking about the MSFT Office suite, there is related telemetry that is generating network activity, and we would see processes related to winword.exe, etc. running on the host. The solutions I've found with MSFT Office allow me to hook directly into those applications and open files, change text and formatting, save the file, and export pdfs directly. In order to try to get around this, I could launch the OO application and let it sit there, and then create and modify files underneath directly from GHOSTS, but you'd see that GHOSTS is doing the work with a utility such as procmon or similar, and I suspect it would show up in host-based tools like Tanium, Tychon, Splunk, and the like, which would be not realistic for defending blue teams. For the Office docs, it looks like the office apps are directly modifying those files from the defender view (as they'd expect). "Light Handlers" already exist in GHOSTS, and they do exactly as above, generating and modifying Office files without having to have Office actually installed on the host, but since they also have the problem outlined above, no one seems to use them either. I'll keep looking at this as I have time. The OO SDK docs are pretty vast, maybe there is another way. But for now, this is a good request, I'm just not sure how to solve it—sorry. |
Beta Was this translation helpful? Give feedback.
-
|
Greetings Mr. Updyke I hope that all is well Thank you very much for the hasty and very insightful response. It makes sense to utilize the Microsoft Suite if it creates the more realistic telemetry data that defenders really care about. Oh how I missed the days when Office Suite was installed by default freely on Windows systems. lol One more questions:
Once again, truly appreciate the work you guys have done on this project. I've pretty much hunted the entire Internet & Youtube trying to learn everything I can about the Ghost Framework in the past 48 hours. Still having a few issues installing it and getting it to work but when I crack the case I know it will be a huge GameChanger for my organization. I hear soo many teams asking for 'traffic generators' during training and the Ghost Framework is the smart traffic generator on steroids that we all need. Also, calling agents 'NPCs' is kool! I'm a huge gamer 👍 Looking Forward Faurkaurage |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the kind words. I'm glad you're getting value out of the project. I totally agree that licensing Office is expensive and tedious (and lots of other applications are guilty of this as well, to be fair), and so, something like OO would be awesome to support. I'll keep looking.
I'm happy to look into this, but would you mind explaining this further? Not sure I follow. |
Beta Was this translation helpful? Give feedback.
-
|
After battling with MS Licensing across 20+ hosts, I think the Light Handlers are just what I need for my simulation. |
Beta Was this translation helpful? Give feedback.
-
Greetings
The Ghost Framework is very powerful and I am in the processing of implementing it within my organization as the go-to 'smart-traffic generator' to make our training more realistic. I'm still mastering how everything works but many of the VMs in our environment does not have Microsoft office ($$$), is there anyway to incorporate the use of Open Office or any open source, free office like suite, with Ghosts in the future for those ....frugal... cyber defenders like myself.
Beta Was this translation helpful? Give feedback.
All reactions