docs/deployment.md

# GreySec PHI Scanner — Multi-Location Deployment Guide

## Live Test Results

- **Date**: 2026-05-04
- **Target**: DESKTOP-1DHNF5M (192.168.68.15) — Windows 10 lab VM
- **Method**: SMB upload → atsvc DCERPC Task Scheduler → SMB download
- **Auth**: `labuser` / `LabPass123!` (local account, C$ share)
- **Findings**: 2,454 total (4 SSN, 129 DOB, 384 Phone, 4 Email, 1,933 IP)
- **Real PHI**: 4 SSNs from `C:\Users\vagrant\Desktop\Patient_Records.txt` — unauthorized PHI on Desktop

## Deployment Architecture

```
┌─────────────────────────────────────────────────────────┐
│  GreySec PHI Scanner — Multi-Location Deployment        │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐          │
│  │ Location │    │ Location │    │ Location │          │
│  │    A     │    │    B     │    │    C     │          │
│  │  (HQ)    │    │ (Branch) │    │ (Cloud)  │          │
│  │          │    │          │    │          │          │
│  │ Win/Linux│    │ Win/Linux│    │ Azure/   │          │
│  │ DBs/Host │    │ DBs/Host │    │ AWS      │          │
│  └────┬─────┘    └────┬─────┘    └────┬─────┘          │
│       │                │                │                │
│       └────────────────┴────────────────┘                │
│                          │                              │
│              ┌───────────▼───────────┐                   │
│              │  Central Reporting    │                   │
│              │  (Supabase/GreySec)  │                   │
│              └──────────────────────┘                   │
└─────────────────────────────────────────────────────────┘
```

## Per-Location Package Structure

```
greysec-phi-scanner/
├── configs/
│   ├── location_hq.yaml       # HQ — domain join, multiple hosts
│   ├── location_cloud.yaml    # AWS/Azure cloud targets
│   └── location_branch.yaml   # Workgroup, local auth
├── scripts/
│   ├── scan_files.py          # Local file system scan
│   ├── scan_db.py             # Database (MSSQL/PostgreSQL)
│   ├── scan_windows.py        # Windows remote via atsvc
│   └── aggregate.py            # Merge all location results
├── reports/                    # Output reports per location
└── credentials.env            # Secrets (not in git)
```

## Installation

### Linux/macOS

```bash
pip install greysec-phi-scanner
# or from source:
cd greysec-phi-scanner
pip install -e .
```

### Kali (Remote Deployment)

```bash
# Install dependencies
apt install python3-impacket python3-smbclient

# Run file scan
greysec-phi scan /mnt/shared/patient_data --output reports/hq_scan.json

# Run Windows remote scan
greysec-phi scan-windows --host 192.168.1.10 --user administrator --pass P@ssw0rd!
```

## Windows Remote Scanning

### Requirements
- SMB (445) access to target
- Local or domain credentials with administrative access
- Task Scheduler service running (default on all Windows)

### Authentication Options

**Option 1 — Local Account (tested, working)**
```yaml
host: 192.168.68.15
username: labuser
password: LabPass123!
domain: ""   # local account, no domain
share: C$
```

**Option 2 — Domain Account**
```yaml
host: 192.168.1.10
username: scanagent
password: ServicePass123!
domain: CONTOSO
share: C$
```

### Remote Execution Method: atsvc DCERPC

The scanner uses the Windows Task Scheduler API via the `atsvc` named pipe. This:
- Does NOT require WinRM
- Does NOT require persistent agent installation
- Works on all Windows versions (Vista through 2025)
- Runs as SYSTEM (highest privilege)

```
Flow: SMB connect → atsvc RPC bind → SchRpcRegisterTask → SchRpcRun → results file
```

### PowerShell Agent Script

The scanner deploys a lightweight PowerShell agent to the target:
- Writes to `C:\tmp\greysec_phi\`
- Scans: `%USERPROFILE%`, `%APPDATA%`, `C:\Users`, `C:\ProgramData`, `C:\inetpub`, `C:\Windows\System32\config`, `C:\tmp`
- Extensions: `*.txt, *.csv, *.log, *.json, *.xml, *.doc, *.docx, *.xls, *.xlsx, *.pdf, *.mdb, *.accdb, *.sql, *.cfg, *.ini, *.dat, *.bak`
- Max file size: 50MB
- Results written to `C:\tmp\phi_scan_results.json`
- Pulled back via SMB

### Known Limitations

- **C$ share required**: Must have write access to administrative share
- **Local accounts**: `ERROR_NONE_MAPPED` — use `S-1-5-18` (SYSTEM SID) in task XML to avoid account lookup
- **No WinRM**: Uses atsvc/Task Scheduler instead
- **Execution method**: `TASK_LOGON_SERVICE_ACCOUNT` (5) for SYSTEM tasks

## Database Scanning (MSSQL / PostgreSQL)

```bash
# MSSQL
greysec-phi scan-db \
  --engine mssql \
  --host 192.168.1.20 \
  --database PatientRecords \
  --user sa --password "DBPass123!"

# PostgreSQL
greysec-phi scan-db \
  --engine postgresql \
  --host 192.168.1.21 \
  --database health_records \
  --user postgres --password "Postgres123!"
```

### Database Patterns Detected

| PHI Type | Pattern |
|----------|---------|
| SSN | `\b\d{3}[-\s]\d{2}[-\s]\d{4}\b` |
| MRN | `\b(MRN\|Medical Record\|EHR\|ID)[:\s#]*\d{6,10}\b` |
| DOB | `\b(0[1-9]\|1[0-2])[/.-](0[1-9]\|[12]\d\|3[01])[/.-](19\|20)\d{2}\b` |
| Email | `\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z\|a-z]{2,}\b` |
| Phone | `\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b` |
| IP | `\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b` |

## Multi-Location Orchestration

```python
# Example: Scan multiple locations from central server
from greysec_phi_scanner import orchestrator

locations = [
    {"name": "hq", "config": "configs/hq.yaml"},
    {"name": "branch_east", "config": "configs/branch_east.yaml"},
    {"name": "cloud_west", "config": "configs/cloud_west.yaml"},
]

results = orchestrator.scan_all(locations)
orchestrator.generate_report(results, "reports/global_phi_audit.html")
```

## CI/CD Integration

```yaml
# GitHub Actions — scan on merge to main
- name: PHI Scanner
  run: |
    pip install greysec-phi-scanner
    greysec-phi scan ./data --output scan_results.json
    greysec-phi report scan_results.json --format html --output phi_report.html
  secrets: phi_scanner_credentials
```

## Environment Variables

| Variable | Description |
|----------|-------------|
| `PHI_SCANNER_DB_HOST` | Database host for centralized inventory |
| `PHI_SCANNER_SUPABASE_URL` | Supabase project URL |
| `PHI_SCANNER_SUPABASE_KEY` | Supabase API key |
| `PHI_SCANNER_LOCATIONS` | Comma-separated list of location IDs |

## Supabase Schema (for centralized tracking)

```sql
-- See: greysec/phi-scanner/src/inventory/db.py
-- Tables: scan_runs, findings, hosts, locations
```

## Quick Start

```bash
# 1. Install
pip install greysec-phi-scanner

# 2. File scan
greysec-phi scan /path/to/patient/data --output results.json

# 3. Generate HTML report
greysec-phi report results.json --format html --output report.html

# 4. Windows remote scan
greysec-phi scan-windows --host 192.168.1.10 --user admin --pass P@ss --share C$

# 5. Database scan
greysec-phi scan-db --engine mssql --host dbserver --database EHR --user sa --pass pass
```
Initial commit: phi-scanner 2026-05-08 17:44:26 -05:00			`# GreySec PHI Scanner — Multi-Location Deployment Guide`

			`## Live Test Results`

			`- Date: 2026-05-04`
			`- Target: DESKTOP-1DHNF5M (192.168.68.15) — Windows 10 lab VM`
			`- Method: SMB upload → atsvc DCERPC Task Scheduler → SMB download`
			- Auth: `labuser` / `LabPass123!` (local account, C$ share)
			`- Findings: 2,454 total (4 SSN, 129 DOB, 384 Phone, 4 Email, 1,933 IP)`
			- Real PHI: 4 SSNs from `C:\Users\vagrant\Desktop\Patient_Records.txt` — unauthorized PHI on Desktop

			`## Deployment Architecture`

			```
			`┌─────────────────────────────────────────────────────────┐`
			`│ GreySec PHI Scanner — Multi-Location Deployment │`
			`├─────────────────────────────────────────────────────────┤`
			`│ │`
			`│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │`
			`│ │ Location │ │ Location │ │ Location │ │`
			`│ │ A │ │ B │ │ C │ │`
			`│ │ (HQ) │ │ (Branch) │ │ (Cloud) │ │`
			`│ │ │ │ │ │ │ │`
			`│ │ Win/Linux│ │ Win/Linux│ │ Azure/ │ │`
			`│ │ DBs/Host │ │ DBs/Host │ │ AWS │ │`
			`│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │`
			`│ │ │ │ │`
			`│ └────────────────┴────────────────┘ │`
			`│ │ │`
			`│ ┌───────────▼───────────┐ │`
			`│ │ Central Reporting │ │`
			`│ │ (Supabase/GreySec) │ │`
			`│ └──────────────────────┘ │`
			`└─────────────────────────────────────────────────────────┘`
			```

			`## Per-Location Package Structure`

			```
			`greysec-phi-scanner/`
			`├── configs/`
			`│ ├── location_hq.yaml # HQ — domain join, multiple hosts`
			`│ ├── location_cloud.yaml # AWS/Azure cloud targets`
			`│ └── location_branch.yaml # Workgroup, local auth`
			`├── scripts/`
			`│ ├── scan_files.py # Local file system scan`
			`│ ├── scan_db.py # Database (MSSQL/PostgreSQL)`
			`│ ├── scan_windows.py # Windows remote via atsvc`
			`│ └── aggregate.py # Merge all location results`
			`├── reports/ # Output reports per location`
			`└── credentials.env # Secrets (not in git)`
			```

			`## Installation`

			`### Linux/macOS`

			```bash
			`pip install greysec-phi-scanner`
			`# or from source:`
			`cd greysec-phi-scanner`
			`pip install -e .`
			```

			`### Kali (Remote Deployment)`

			```bash
			`# Install dependencies`
			`apt install python3-impacket python3-smbclient`

			`# Run file scan`
			`greysec-phi scan /mnt/shared/patient_data --output reports/hq_scan.json`

			`# Run Windows remote scan`
			`greysec-phi scan-windows --host 192.168.1.10 --user administrator --pass P@ssw0rd!`
			```

			`## Windows Remote Scanning`

			`### Requirements`
			`- SMB (445) access to target`
			`- Local or domain credentials with administrative access`
			`- Task Scheduler service running (default on all Windows)`

			`### Authentication Options`

			`Option 1 — Local Account (tested, working)`
			```yaml
			`host: 192.168.68.15`
			`username: labuser`
			`password: LabPass123!`
			`domain: "" # local account, no domain`
			`share: C$`
			```

			`Option 2 — Domain Account`
			```yaml
			`host: 192.168.1.10`
			`username: scanagent`
			`password: ServicePass123!`
			`domain: CONTOSO`
			`share: C$`
			```

			`### Remote Execution Method: atsvc DCERPC`

			The scanner uses the Windows Task Scheduler API via the `atsvc` named pipe. This:
			`- Does NOT require WinRM`
			`- Does NOT require persistent agent installation`
			`- Works on all Windows versions (Vista through 2025)`
			`- Runs as SYSTEM (highest privilege)`

			```
			`Flow: SMB connect → atsvc RPC bind → SchRpcRegisterTask → SchRpcRun → results file`
			```

			`### PowerShell Agent Script`

			`The scanner deploys a lightweight PowerShell agent to the target:`
			- Writes to `C:\tmp\greysec_phi\`
			- Scans: `%USERPROFILE%`, `%APPDATA%`, `C:\Users`, `C:\ProgramData`, `C:\inetpub`, `C:\Windows\System32\config`, `C:\tmp`
			- Extensions: `.txt, .csv, .log, .json, .xml, .doc, .docx, .xls, .xlsx, .pdf, .mdb, .accdb, .sql, .cfg, .ini, .dat, *.bak`
			`- Max file size: 50MB`
			- Results written to `C:\tmp\phi_scan_results.json`
			`- Pulled back via SMB`

			`### Known Limitations`

			`- C$ share required: Must have write access to administrative share`
			- Local accounts: `ERROR_NONE_MAPPED` — use `S-1-5-18` (SYSTEM SID) in task XML to avoid account lookup
			`- No WinRM: Uses atsvc/Task Scheduler instead`
			- Execution method: `TASK_LOGON_SERVICE_ACCOUNT` (5) for SYSTEM tasks

			`## Database Scanning (MSSQL / PostgreSQL)`

			```bash
			`# MSSQL`
			`greysec-phi scan-db \`
			`--engine mssql \`
			`--host 192.168.1.20 \`
			`--database PatientRecords \`
			`--user sa --password "DBPass123!"`

			`# PostgreSQL`
			`greysec-phi scan-db \`
			`--engine postgresql \`
			`--host 192.168.1.21 \`
			`--database health_records \`
			`--user postgres --password "Postgres123!"`
			```

			`### Database Patterns Detected`

			`\| PHI Type \| Pattern \|`
			`\|----------\|---------\|`
			\| SSN \| `\b\d{3}[-\s]\d{2}[-\s]\d{4}\b` \|
			\| MRN \| `\b(MRN\\|Medical Record\\|EHR\\|ID)[:\s#]*\d{6,10}\b` \|
			\| DOB \| `\b(0[1-9]\\|1[0-2])[/.-](0[1-9]\\|[12]\d\\|3[01])[/.-](19\\|20)\d{2}\b` \|
			\| Email \| `\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z\\|a-z]{2,}\b` \|
			\| Phone \| `\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b` \|
			\| IP \| `\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b` \|

			`## Multi-Location Orchestration`

			```python
			`# Example: Scan multiple locations from central server`
			`from greysec_phi_scanner import orchestrator`

			`locations = [`
			`{"name": "hq", "config": "configs/hq.yaml"},`
			`{"name": "branch_east", "config": "configs/branch_east.yaml"},`
			`{"name": "cloud_west", "config": "configs/cloud_west.yaml"},`
			`]`

			`results = orchestrator.scan_all(locations)`
			`orchestrator.generate_report(results, "reports/global_phi_audit.html")`
			```

			`## CI/CD Integration`

			```yaml
			`# GitHub Actions — scan on merge to main`
			`- name: PHI Scanner`
			`run: \|`
			`pip install greysec-phi-scanner`
			`greysec-phi scan ./data --output scan_results.json`
			`greysec-phi report scan_results.json --format html --output phi_report.html`
			`secrets: phi_scanner_credentials`
			```

			`## Environment Variables`

			`\| Variable \| Description \|`
			`\|----------\|-------------\|`
			\| `PHI_SCANNER_DB_HOST` \| Database host for centralized inventory \|
			\| `PHI_SCANNER_SUPABASE_URL` \| Supabase project URL \|
			\| `PHI_SCANNER_SUPABASE_KEY` \| Supabase API key \|
			\| `PHI_SCANNER_LOCATIONS` \| Comma-separated list of location IDs \|

			`## Supabase Schema (for centralized tracking)`

			```sql
			`-- See: greysec/phi-scanner/src/inventory/db.py`
			`-- Tables: scan_runs, findings, hosts, locations`
			```

			`## Quick Start`

			```bash
			`# 1. Install`
			`pip install greysec-phi-scanner`

			`# 2. File scan`
			`greysec-phi scan /path/to/patient/data --output results.json`

			`# 3. Generate HTML report`
			`greysec-phi report results.json --format html --output report.html`

			`# 4. Windows remote scan`
			`greysec-phi scan-windows --host 192.168.1.10 --user admin --pass P@ss --share C$`

			`# 5. Database scan`
			`greysec-phi scan-db --engine mssql --host dbserver --database EHR --user sa --pass pass`
			```