Setting up automated logging

There are currently two different C2 frameworks that use the Ghostwriter REST API to automatically create and update commands.

Creating an API Key

In order to use any automated logging solution, you will first need to create an API key. You must be admin to do this. First, navigate to the admin panel and click on the "Add" button in the API keys row.

You will be presented with a basic form that requires a name and optionally an expiration date. Set the appropriate fields and click save.

Once you hit save, a green toast message will appear and present you with the API key. This is the only time you will be presented with the plaintext API key, so write it down before you navigate away! Also, the period at the end of the API key is not a part of the API key and shouldn't be included.

Setting up CobaltStrike

To integrate CobaltStrike with the Ghostwriter oplog API, we have released a server side aggressor script that will post any command to the Ghostwriter server. In order to set this up, check out the oplog.cna script. At the top, there are a series of Ghostwriter variables that need to be set. and make sure that it is loaded by agscript. There are three variables that need to be set:

  • oplog_id - This needs to be set to the corresponding oplog id

  • api_key - This needs to be set to the API key generated above

  • url - The base URL of the Ghostwriter server without any paths (e.g. https://ghostwriter.contoso.com)

Once the script is loaded by agscript, every command entered in an interactive beacon will be forwarded to Ghostwriter and immediately displayed in the oplog table.

Setting up Mythic

To sync with Mythic you need to check out the mythic_sync project on github and follow the instructions contained in the Readme.

‚Äč