Setting up Automated Logging
Configuring the API endpoint for automatic activity logging
There are currently two different C2 frameworks we've built integrations for (Mythic and Cobalt Strike) that use the Ghostwriter REST API to create and update log entries automatically.
API Key Created Automatically with a New Log
A new Ghostwriter API key is displayed automatically when you create a new log. Save this key for configuration with the C2 syncing tools outlined below. If you missed this or have lost your API key, an administrator can follow the steps outlined in the next section to create a new key manually.
To use any automated logging solution, you must create an API key. You must be an admin to do this. First, navigate the admin panel and click the "Add" button in the API keys row.
You will be presented with a basic form that requires a name and, optionally, an expiration date. Set the appropriate fields and click Save.
Once you hit save, a green toast message will appear and present you with the API key. This is the only time you will be presented with the plaintext API key, so write it down before you navigate away! Also, the period at the end of the API key is not a part of the API key and shouldn't be included.
Clone the cobalt_sync project to your Cobalt Strike team server and follow the instructions contained in the README to enable syncing for each Cobalt Strike team server you deploy.
To integrate Cobalt Strike with the Ghostwriter Oplog API, we have released a server-side aggressor script that will post any command to the Ghostwriter server. To complete the output fields for Oplog entries automatically, clone the oplog.cna script to your team server and make sure that it is loaded by
agscript. In this file, there are a series of placeholder Ghostwriter variables that you must set. These variables include:
- $oplog::GhostwriterOplogURL - The base URL of the Ghostwriter server without any paths or trailing "/" (e.g., https://ghostwriter.contoso.com)
- $oplog::GhostwriterOplogID - This needs to be set to the corresponding Oplog ID
- $oplog::GhostwriterOplogAPIKey - This needs to be set to the API key generated above
Once the script is loaded by
agscript, every command entered in an interactive beacon will be forwarded to Ghostwriter and immediately displayed in the Oplog table.
- The original gist for oplog-sync.cna released with GW 2.0 is located at https://gist.github.com/hotnops/e19a42a792950f4ef996d75a6e1bae35, but is no longer updated.
Note: Cobalt Strike does not associate console output with the original command. Therefore, the Aggressor script cannot automatically complete the output fields for Oplog entries.
Clone the mythic_sync project to your Mythic C2 server and follow the instructions contained in the README to enable syncing for each Mythic server you deploy.
Note: Since Mythic associates output with the original command, the mythic_sync project will retroactively update previous Oplog entries when output is received. This will overwrite any additional context added to the original entry within Ghostwriter before the new output was received.