Skip to main content
Currently, two different C2 frameworks can easily integrate with Ghostwriter’s GraphQL API: Mythic and Cobalt Strike. These utilities automatically create and update log entries. You can also write scripts to integrate other frameworks and tools. All you need to get started is an automation token.

Obtaining an Automation Token

For operation-log syncing, prefer a scoped service token when the integration supports it. A service token can be limited to one operation log and its entries, so the automation does not inherit all permissions from the user who created the token. Use an API token only when the automation should act as your user account and inherit your current permissions. For custom logging tools, you can also consider using the login action with the API, but generated API tokens or service tokens are usually a better fit for long-running automation. Read more about this process here:

Authentication

User Profile and Tokens

Setting up Syncing with Cobalt Strike

GitHub - GhostManager/cobalt_sync

Logo Standalone Cobalt Strike operation logging Aggressor script for Ghostwriter 2.0+
Clone the cobalt_sync project to your Cobalt Strike team server and follow the instructions contained in the README to enable syncing for each Cobalt Strike team server you deploy.
Note: Cobalt Strike does not associate console output with the original command. Therefore, cobalt_sync cannot automatically complete the output fields for log entries. Job IDs may be available for CObalt Strike in the future.

Setting up Syncing with Mythic

GitHub - GhostManager/mythic_sync

Logo Standalone Mythic C2 operation logging script for Ghostwriter v2.0+
Clone the mythic_sync project to your Mythic C2 server and follow the instructions contained in the README to enable syncing for each Mythic server you deploy.
Note: Since Mythic associates output with the original command, the mythic_sync project will retroactively update previous log entries when output is received. This will overwrite any additional context added to the original entry within Ghostwriter before the new output was received.