SkillAgentSearch skills...

GingerMaster

Next-Generation Autonomous Threat Hunting Engine - EDR with ML-inspired behavioral analysis, MITRE ATT&CK mapping, C2 beaconing detection

GenerateConvertImprove

Install / Use

/learn @zencefilefendi/GingerMaster
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

GingerMaster ULTRA

Next-Generation Autonomous Threat Hunting Engine v5.0

 ██████╗ ██╗███╗   ██╗ ██████╗ ███████╗██████╗ ███╗   ███╗ █████╗ ███████╗████████╗███████╗██████╗
██╔════╝ ██║████╗  ██║██╔════╝ ██╔════╝██╔══██╗████╗ ████║██╔══██╗██╔════╝╚══██╔══╝██╔════╝██╔══██╗
██║  ███╗██║██╔██╗ ██║██║  ███╗█████╗  ██████╔╝██╔████╔██║███████║███████╗   ██║   █████╗  ██████╔╝
██║   ██║██║██║╚██╗██║██║   ██║██╔══╝  ██╔══██╗██║╚██╔╝██║██╔══██║╚════██║   ██║   ██╔══╝  ██╔══██╗
╚██████╔╝██║██║ ╚████║╚██████╔╝███████╗██║  ██║██║ ╚═╝ ██║██║  ██║███████║   ██║   ███████╗██║  ██║
 ╚═════╝ ╚═╝╚═╝  ╚═══╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝   ╚═╝   ╚══════╝╚═╝  ╚═╝
                              ██╗   ██╗██╗  ████████╗██████╗  █████╗
                              ██║   ██║██║  ╚══██╔══╝██╔══██╗██╔══██╗
                              ██║   ██║██║     ██║   ██████╔╝███████║
                              ██║   ██║██║     ██║   ██╔══██╗██╔══██║
                              ╚██████╔╝███████╗██║   ██║  ██║██║  ██║
                               ╚═════╝ ╚══════╝╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝

An advanced, multi-platform endpoint detection and response (EDR) tool with ML-inspired behavioral analysis, MITRE ATT&CK mapping, and autonomous threat hunting capabilities.

Features

| Module | Description | Detects | |--------|-------------|---------| | ThreatIntelligence | Real-time IOC feed integration | Known C2, Tor nodes, malicious IPs/domains | | BehavioralAnalyzer | ML-inspired behavior profiling | CPU/RAM/Network anomalies | | BeaconDetector | C2 beacon pattern detection | Cobalt Strike, Sliver, Brute Ratel patterns | | DNSExfiltrationDetector | DNS tunneling detection | Base64/Hex subdomains, DGA domains | | FilelessMalwareDetector | Fileless attack detection | PowerShell cradles, AMSI bypass | | ProcessInjectionDetector | Injection technique detection | Process hollowing, shellcode patterns | | PersistenceDetector | Persistence mechanism detection | Registry, LaunchAgents, cron, systemd | | ForensicsCollector | Automatic evidence collection | SQLite DB, JSON reporting |

MITRE ATT&CK Coverage

Execution:          T1059.001 (PowerShell), T1059.003 (Cmd), T1106 (Native API)
Persistence:        T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task)
Privilege Esc:      T1055 (Process Injection), T1055.012 (Process Hollowing)
Defense Evasion:    T1562.001 (Disable Security Tools), T1027 (Obfuscation)
Credential Access:  T1003 (Credential Dumping)
Discovery:          T1082 (System Info), T1057 (Process Discovery)
C2:                 T1071.001 (Web Protocols), T1071.004 (DNS), T1571 (Non-Standard Port)
Exfiltration:       T1041 (Exfil Over C2), T1048 (Alternative Protocol)

Installation

# Clone the repository
git clone https://github.com/zencefilefendi/GingerMaster.git
cd GingerMaster

# Install dependencies
pip install -r requirements.txt

# Run
python3 GingerMaster_Ultra.py

Usage

# Basic usage
python3 GingerMaster_Ultra.py

# Verbose mode with custom scan interval
python3 GingerMaster_Ultra.py -v -i 3

# Full network scanning (requires root/sudo)
sudo python3 GingerMaster_Ultra.py

# Custom forensics output directory
python3 GingerMaster_Ultra.py -o /path/to/forensics

Command Line Options

| Option | Description | |--------|-------------| | -h, --help | Show help message | | -v, --verbose | Enable verbose output | | -i, --interval | Scan interval in seconds (default: 5) | | -o, --output | Custom output directory for forensics |

Sample Output

╔══════════════════════════════════════════════════════════════╗
║ [14:32:15] CRITICAL: C2_BEACON [T1071_001]                   ║
╟──────────────────────────────────────────────────────────────╢
║ C2 beaconing detected: chrome.exe → 185.220.101.1:443        ║
╟──────────────────────────────────────────────────────────────╢
║  avg_interval: 60.2                                          ║
║  jitter_percent: 12.5                                        ║
║  confidence: 0.92                                            ║
╟──────────────────────────────────────────────────────────────╢
║ Score: 0.92 | Source: BeaconDetector                         ║
╚══════════════════════════════════════════════════════════════╝

Forensics & Reporting

All detected threats are automatically logged to a SQLite database:

# Database location
~/GingerMaster_Forensics/threats.db

# Export JSON report
python3 -c "
from GingerMaster_Ultra import GingerMasterUltra
hunter = GingerMasterUltra()
report = hunter.forensics.export_report()
print(f'Report saved: {report}')
"

Platform Support

| Platform | Status | Notes | |----------|--------|-------| | Windows | Full | All features supported | | macOS | Full | Requires sudo for network monitoring | | Linux | Full | Requires sudo for network monitoring |

Detection Modules

1. Suspicious Process Spawn Detection

Monitors parent-child process relationships to detect LOLBin (Living-off-the-Land Binary) abuse.

2. C2 Connection Detection

Identifies connections to known malicious IPs and suspicious ports commonly used by C2 frameworks.

3. Beacon Pattern Detection

Uses statistical analysis to detect regular callback patterns typical of C2 beaconing with jitter calculation.

4. DNS Exfiltration Detection

Identifies data exfiltration attempts through DNS queries including Base64-encoded subdomains and DGA patterns.

5. Fileless Malware Detection

Analyzes PowerShell commands for suspicious patterns including:

  • Base64 decoding
  • Reflection loading
  • P/Invoke calls
  • AMSI bypass attempts
  • Credential theft tools

6. Process Injection Detection

Detects various injection techniques:

  • Process hollowing
  • DLL injection
  • Shellcode patterns in memory

7. Persistence Detection

Monitors common persistence locations:

  • Windows: Registry run keys, scheduled tasks, services
  • macOS: LaunchAgents, LaunchDaemons, login items
  • Linux: cron, systemd, init scripts

Architecture

GingerMasterUltra
├── ThreatIntelligence          # IOC feeds and threat data
├── BehavioralAnalyzer          # ML-inspired anomaly detection
├── BeaconDetector              # C2 beaconing pattern analysis
├── DNSExfiltrationDetector     # DNS tunneling detection
├── FilelessMalwareDetector     # In-memory attack detection
├── ProcessInjectionDetector    # Injection technique detection
├── PersistenceDetector         # Persistence mechanism monitoring
└── ForensicsCollector          # Evidence collection and reporting

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Disclaimer

This tool is intended for authorized security testing, defensive security, and educational purposes only. Always obtain proper authorization before running security tools on systems you do not own.

License

MIT License

Author

GingerMaster Security Research Team

zencefilefendi

View profile

View on GitHub
GitHub Stars19
CategoryDevelopment
Updated1mo ago
Forks2
zencefilefendi/GingerMaster

Languages

Python

Security Score

75/100

Audited on Feb 16, 2026

No findings