Setting up Automated Logging

Configuring the API endpoint for automatic activity logging

Currently, two different C2 frameworks can easily integrate with Ghostwriter's GraphQL API: Mythic and Cobalt Strike. These utilities automatically create and update log entries.

You can also write scripts to integrate other frameworks and tools. All you need to get started if an API token.

Obtaining an API Token

To get started logging you need an API token. To use the utilities mentioned below you will want to generate an API token with an expiration date. For custom logging tools, you can consider using the login action with the API.

Setting up Syncing with Cobalt Strike

GitHub - GhostManager/cobalt_sync: Standalone Cobalt Strike operation logging Aggressor script for Ghostwriter 2.0+GitHub

Clone the cobalt_sync project to your Cobalt Strike team server and follow the instructions contained in the README to enable syncing for each Cobalt Strike team server you deploy.

Note: Cobalt Strike does not associate console output with the original command. Therefore, cobalt_sync cannot automatically complete the output fields for log entries. Job IDs may be available for CObalt Strike in the future.

Setting up Syncing with Mythic

GitHub - GhostManager/mythic_sync: Standalone Mythic C2 operation logging script for Ghostwriter v2.0+GitHub

Clone the mythic_sync project to your Mythic C2 server and follow the instructions contained in the README to enable syncing for each Mythic server you deploy.

Note: Since Mythic associates output with the original command, the mythic_sync project will retroactively update previous log entries when output is received. This will overwrite any additional context added to the original entry within Ghostwriter before the new output was received.

PreviousInteracting with the Operation Log Table NextExporting / Importing Operation Logs

Last updated 7 months ago