Introducing GhostShell Garden: a multi-runtime research anthology demonstrating in-memory credential harvesting against running web servers. Inspired by UNC5221's BRICKSTORM implant (Google TIG) in-memory credential interception on vCenter with no on-disk artifacts.
The premise: post-exploitation, assumed breach. Target a running web server process and harvest credentials from the middleware pipeline without touching the app.
Three entries. Same attack. Different runtimes:
-
GhostFilter: Java/Tomcat. JVM Attach API → loadAgent() → JVMTI bytecode rewrite of WsFilter.doFilter()
-
GhostLayer: Node.js/Express. SIGUSR1 → V8 inspector → CDP Runtime.evaluate → Layer.prototype.handle_request patch
-
GhostTrace: Python/Flask. No runtime attach API forces OS layer: gdb + ptrace → PyRun_SimpleString → sys.settrace on full_dispatch_request
No restarts. No files written to disk. In-memory only.
Prior art exists on individual primitives (Synacktiv's Java agent post-exploitation, evilsocket's jscythe). This is the first comparative cross-runtime treatment of the technique with working labs, YARA detection rules, and Docker environments.
