CrowdStrike/VirtualGHOST: VirtualGHOST Detection Tool

Source: GitHub

Author: unknown

URL: https://github.com/CrowdStrike/VirtualGHOST

ONE SENTENCE SUMMARY: The repository provides a PowerShell script (Detect-VirtualGHOST.ps1) using VMWare PowerCLI to detect unregistered, powered-on VMware VMs (“VirtualGHOSTs”) that evade standard management processes.

MAIN POINTS:

1. VirtualGHOST refers to VMware VMs powered on manually via command line, not registered in inventory.
2. Detect-VirtualGHOST.ps1 script identifies VirtualGHOST VMs by comparing inventory and active VM lists.
3. Script requires “Server” (IP/DNS) and “Credential” parameters for VMware API access.
4. If parameters aren’t provided initially, the script interactively prompts for necessary inputs.
5. Positive detection results list hypervisor, VM name, VM configuration file, and VMWorldID clearly.
6. Script alerts on network connections associated with detected VirtualGHOST VMs, including MAC addresses.
7. Negative results explicitly indicate no unregistered VMs were found on checked hypervisors.
8. VirtualGHOSTs evade standard VMware management tools like vCenter and ESXi web UI.
9. For forensic analysis, SSH into ESXi host and manually copy VM files due to locked resources.
10. VMware logs (vmware*.log) from VM directories are critical resources for further investigation.

TAKEAWAYS:

1. Regularly run Detect-VirtualGHOST.ps1 to proactively identify hidden VMware VMs in your environment.
2. Treat any positive result seriously, even though some false positives from normal lifecycle activities may occur.
3. Always preserve VM files and vmware logs immediately following discovery for forensic analysis.
4. Registration and suspension of a detected VirtualGHOST VM via ESXi web UI facilitates investigative documentation.
5. Engage with community via GitHub issues for script support, as official CrowdStrike support isn’t available.