WraithRun Documentation

WraithRun is a local-first cyber investigation runtime designed for host triage workflows.

Use this documentation to install, run, and operate WraithRun in your own environment.

Start Here

• Getting Started: install and run your first task.
• Usage Examples: copy-paste commands for common workflows.
• CLI Reference: all command-line options.
• Tool Reference: built-in tool behavior and expected outputs.
• Security and Sandbox: policy controls and environment variables.
• CI/CD Integration: run WraithRun in GitHub Actions, GitLab CI, Jenkins.
• Troubleshooting: common errors and fixes.

Investigation Playbooks

Step-by-step guides for common security investigation scenarios.

• Investigate Suspicious SSH Keys
• Triage a Compromised Windows Workstation
• Audit Privileged Accounts After a Credential Leak
• Check for Persistence Mechanisms Post-Breach

Reference

• Plugin API: extend WraithRun with external tool plugins.
• MITRE ATT&CK Mapping: tools mapped to ATT&CK techniques.
• Threat Model: WraithRun's attack surface, trust boundaries, and security controls.
• Sample Report: Linux Persistence
• Sample Report: Windows Triage

Operations and Releases

• Release Plan
• CI/CD Overview
• Upgrade Notes

Source and Releases

• Source repository: https://github.com/Shreyas582/WraithRun
• Releases: https://github.com/Shreyas582/WraithRun/releases