Skip to content

Standalone Cobalt Strike operation logging Aggressor script for Ghostwriter 2.0+

License

Notifications You must be signed in to change notification settings

GhostManager/cobalt_sync

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cobalt_sync

Sponsored by SpecterOps

Python Version License GitHub Release (Latest by Date) GitHub Release Date

The cobalt_sync is a standalone utility that connects to an instance of Ghostwriter (>=v4.0.0) for automated activity logging.

The current version of cobalt_sync requires Ghostwriter >=v4.0. If you need to use Ghostwriter v3, please use the v1.x releases.

Authors: Daniel Heinsen, Andrew Chiles, Cody Thomas, and Christopher Maddalena of SpecterOps

Usage

Getting Started

To authenticate to your instances of Ghostwriter, you will need this information handy:

  • Ghostwriter URL
  • Ghostwriter GraphQL API token
  • Ghostwriter log ID

Ghostwriter API Token & Activity Log

You can get your log's ID by opening the log's webpage and looking at the top of the page. You'll see "Oplog ID #" followed by a number. That's the ID number you need.

To generate an API token for your Ghostwriter instance, visit your user profile and click on the "Create" button in the "API Tokens" section.

The token must be attached to an account that has access to the project containing your target log. You can read more about the authorization controls on the Ghostwriter wiki.

Configuration

  1. Modify variables in .env file with the appropriate values for your environment.

    GHOSTWRITER_API_KEY=""
    GHOSTWRITER_URL=""
    GHOSTWRITER_OPLOG_ID=""
    COBALT_PARSER_COMMAND="monitor /logs -s http://cobalt_web:9000 --onlyHashes --reprocess"
    COBALT_LOGS_PATH="/opt/cobaltstrike/server/logs"
    • GHOSTWRITER_API_KEY is the API key for your Ghostwriter instance. This is used to authenticate to the GraphQL API.
    • GHOSTWRITER_URL is the URL for your Ghostwriter instance (e.g., https://ghostwriter.local). This is used to authenticate to the GraphQL API.
    • COBALT_LOGS_PATH is the path to where the logs are that you want to monitor. This folder gets mounted into the cobalt_sync-cobalt_parser-1 container as /logs
    • COBALT_PARSER_COMMAND is the command for the cobalt-parser to run inside the Golang container. By default, this monitors the logs directory for changes and syncs all events to the internal cobalt_web service that's running. This will also reprocess all the files every night at midnight.
  2. Start docker compose with sudo docker compose up --build -d (to stop, run sudo docker compose down). To view output, use the following:

    • sudo docker logs --follow cobalt_sync-cobalt_web-1 (viewing the logs of the python web server that posts to Ghostwriter)
    • sudo docker logs --follow cobalt_sync-cobalt_parser-1 (viewing the logs of the golang file parser and monitor for cobalt strike logs)
    • sudo docker logs --follow cobalt_sync-redis-1 (viewing the logs of the redis container)
  3. Verify a new entry was created in your Ghostwriter activity log. If not, check your Event Log and script console for connection or authentication errors.

Troubleshooting

  • Ensure the team server where cobalt_sync is running has network access to Ghostwriter.
  • Ensure the GHOSTWRITER_OPLOG_ID and your GHOSTWRITER_API_KEY values are correct for the provided Ghostwriter URL.

References