Setting up Automated Logging
Configuring the API endpoint for automatic activity logging
Currently, two different C2 frameworks can easily integrate with Ghostwriter's GraphQL API: Mythic and Cobalt Strike. These utilities automatically create and update log entries.
You can also write scripts to integrate other frameworks and tools. All you need to get started if an API token.
Obtaining an API Token
To get started logging you need an API token. To use the utilities mentioned below you will want to generate an API token with an expiration date. For custom logging tools, you can consider using the login
action with the API.
Read more about this process here:
AuthenticationSetting up Syncing with Cobalt Strike
Clone the cobalt_sync project to your Cobalt Strike team server and follow the instructions contained in the README to enable syncing for each Cobalt Strike team server you deploy.
Note: Cobalt Strike does not associate console output with the original command. Therefore, cobalt_sync cannot automatically complete the output fields for log entries. Job IDs may be available for CObalt Strike in the future.
Setting up Syncing with Mythic
Clone the mythic_sync project to your Mythic C2 server and follow the instructions contained in the README to enable syncing for each Mythic server you deploy.
Note: Since Mythic associates output with the original command, the mythic_sync project will retroactively update previous log entries when output is received. This will overwrite any additional context added to the original entry within Ghostwriter before the new output was received.
Last updated