Standalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+
Authors: Daniel Heinsen and Andrew Chiles of SpecterOps
-
Modify variables in
oplog.cnawith the appropriate values for your environment.########################################### $oplog::GhostwriterOplogURL = "<https://ghostwriter.local>"; # No trailing / $oplog::GhostwriterOplogID = "<ID>"; $oplog::GhostwriterOplogAPIKey = "<API KEY>"; ########################################### -
Execute
oplog.cnavia agscript on your teamserver to report activity from all operators on the teamserver. -
Verify a new entry was created in your Ghostwriter oplog. If not, check your Event Log and script console for connection or authentication errors.
- Ensure the teamserver where cobalt_sync (oplog.cna) is running has network access to Ghostwriter.
- Ensure the OplogID and OplogAPI key are correct for the provided Ghostwriter URL
- Ghostwriter - Engagement Management and Reporting Platform
- Ghostwriter's Official Documentation - Operation Logging w/ Ghostwriter - Guidance on operation logging setup and usage with Ghostwriter
- Blog - Updates to Ghostwriter: UI and Operation Logs - Initial announcement of the operation logging features in Ghostwriter