GhostShellGarden

Introducing GhostShell Garden: a multi-runtime research anthology demonstrating in-memory credential harvesting against running web servers. Inspired by UNC5221's BRICKSTORM implant (Google TIG) in-memory credential interception on vCenter with no on-disk artifacts.

The premise: post-exploitation, assumed breach. Target a running web server process and harvest credentials from the middleware pipeline without touching the app.

Three entries. Same attack. Different runtimes:

1. GhostFilter: Java/Tomcat. JVM Attach API → loadAgent() → JVMTI bytecode rewrite of WsFilter.doFilter()

2. GhostLayer: Node.js/Express. SIGUSR1 → V8 inspector → CDP Runtime.evaluate → Layer.prototype.handle_request patch

3. GhostTrace: Python/Flask. No runtime attach API forces OS layer: gdb + ptrace → PyRun_SimpleString → sys.settrace on full_dispatch_request

No restarts. No files written to disk. In-memory only.

Prior art exists on individual primitives (Synacktiv's Java agent post-exploitation, evilsocket's jscythe). This is the first comparative cross-runtime treatment of the technique with working labs, YARA detection rules, and Docker environments.