Setting up Automated Logging

Configuring the API endpoint for automatic activity logging

There are currently two different C2 frameworks we've built integrations for (Mythic and Cobalt Strike) that use the Ghostwriter REST API to automatically create and update oplog entries.

Obtaining an API Key

A new Ghostwriter API key is displayed automatically for you when you finish Creating a new oplog. Be sure to save this key for configuration with the C2 syncing tools outlined below. If you missed this or have lost your API key, an administrator can follow the steps outlined in the next section to manually create a new key.

Creating a New API Key

In order to use any automated logging solution, you will first need to create an API key. You must be admin to do this. First, navigate to the admin panel and click on the "Add" button in the API keys row.

You will be presented with a basic form that requires a name and optionally an expiration date. Set the appropriate fields and click save.

Once you hit save, a green toast message will appear and present you with the API key. This is the only time you will be presented with the plaintext API key, so write it down before you navigate away! Also, the period at the end of the API key is not a part of the API key and shouldn't be included.

Setting up Syncing with Cobalt Strike

To integrate CobaltStrike with the Ghostwriter oplog API, we have released a server side aggressor script that will post any command to the Ghostwriter server. In order to set this up, download the oplog.cna script to your teamserver and make sure that it is loaded by agscript. In this file, there are a series of placeholder Ghostwriter variables that you must set. These variables include:

  • oplog_id - This needs to be set to the corresponding oplog id

  • api_key - This needs to be set to the API key generated above

  • url - The base URL of the Ghostwriter server without any paths (e.g. https://ghostwriter.contoso.com)

Once the script is loaded by agscript, every command entered in an interactive beacon will be forwarded to Ghostwriter and immediately displayed in the oplog table.

Note: Cobalt Strike does not associate console output with the original command. Therefore, the aggressor script is unable to automatically complete the output fields for oplog entries.

Setting up Syncing with Mythic

Clone the mythic_sync project to your Mythic C2 server and follow the instructions contained in the README to enable syncing for each Mythic server you deploy.

Note: Since Mythic associates output with the original command, the mythic_sync project will retroactively update previous oplog entries when output is received.