Awesome
cobalt_sync
The cobalt_sync
is a standalone utility that connects to an instance of Ghostwriter (>=v4.0.0) for automated activity logging.
The current version of cobalt_sync
requires Ghostwriter >=v4.0. If you need to use Ghostwriter v3, please use the v1.x releases.
Authors: Daniel Heinsen, Andrew Chiles, Cody Thomas, and Christopher Maddalena of SpecterOps
Usage
Getting Started
To authenticate to your instances of Ghostwriter, you will need this information handy:
- Ghostwriter URL
- Ghostwriter GraphQL API token
- Ghostwriter log ID
Ghostwriter API Token & Activity Log
You can get your log's ID by opening the log's webpage and looking at the top of the page. You'll see "Oplog ID #" followed by a number. That's the ID number you need.
To generate an API token for your Ghostwriter instance, visit your user profile and click on the "Create" button in the "API Tokens" section.
The token must be attached to an account that has access to the project containing your target log. You can read more about the authorization controls on the Ghostwriter wiki.
Configuration
-
Modify variables in .env file with the appropriate values for your environment.
GHOSTWRITER_API_KEY="" GHOSTWRITER_URL="" GHOSTWRITER_OPLOG_ID="" COBALT_PARSER_COMMAND="monitor /logs -s http://cobalt_web:9000 --onlyHashes --reprocess" COBALT_LOGS_PATH="/opt/cobaltstrike/server/logs"
GHOSTWRITER_API_KEY
is the API key for your Ghostwriter instance. This is used to authenticate to the GraphQL API.GHOSTWRITER_URL
is the URL for your Ghostwriter instance (e.g., https://ghostwriter.local). This is used to authenticate to the GraphQL API.COBALT_LOGS_PATH
is the path to where the logs are that you want to monitor. This folder gets mounted into thecobalt_sync-cobalt_parser-1
container as/logs
COBALT_PARSER_COMMAND
is the command for thecobalt-parser
to run inside the Golang container. By default, this monitors the logs directory for changes and syncs all events to the internalcobalt_web
service that's running. This will also reprocess all the files every night at midnight.
-
Start docker compose with
sudo docker compose up --build -d
(to stop, runsudo docker compose down
). To view output, use the following:sudo docker logs --follow cobalt_sync-cobalt_web-1
(viewing the logs of the python web server that posts to Ghostwriter)sudo docker logs --follow cobalt_sync-cobalt_parser-1
(viewing the logs of the golang file parser and monitor for cobalt strike logs)sudo docker logs --follow cobalt_sync-redis-1
(viewing the logs of the redis container)
-
Verify a new entry was created in your Ghostwriter activity log. If not, check your Event Log and script console for connection or authentication errors.
Troubleshooting
- Ensure the team server where
cobalt_sync
is running has network access to Ghostwriter. - Ensure the
GHOSTWRITER_OPLOG_ID
and yourGHOSTWRITER_API_KEY
values are correct for the provided Ghostwriter URL.
References
- Ghostwriter - Engagement Management and Reporting Platform
- Ghostwriter's Official Documentation - Operation Logging w/ Ghostwriter - Guidance on operation logging setup and usage with Ghostwriter
- Blog - Updates to Ghostwriter: UI and Operation Logs - Initial announcement of the operation logging features in Ghostwriter